fyi... if you're running samba it's vulnerable Forwarded Message: > To: agent99at_private > From: SGI Security Coordinator <agent99at_private> > Subject: [Full-Disclosure] Samba Security Vulnerability on IRIX > Date: Wed, 9 Apr 2003 11:02:42 -0700 > ----- > -----BEGIN PGP SIGNED MESSAGE----- > > ______________________________________________________________________________ > SGI Security Advisory > > Title : Samba Security Vulnerability > Number : 20030403-01-P > Date : April 9, 2003 > Reference: CVE CAN-2003-0201 > Reference: SGI BUG 886996 > Fixed in : Samba 2.2.8a or patch 5065 > ______________________________________________________________________________ > > - ----------------------- > - --- Issue Specifics --- > - ----------------------- > > It's been reported that there is a vulnerability in Samba versions up to and > including Samba 2.2.8. This vulnerability, if exploited correctly, leads to > an anonymous user gaining root access on a Samba serving system. > > See: http://master.samba.org/samba/samba.html (Samba News 7 Apr, 2003) > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0201 > > SGI has investigated the issue and recommends the following steps for > neutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be > implemented on ALL vulnerable SGI systems. > > These issues have been corrected in future releases of Samba and with a > patch for SGI's Samba 2.2.8. > > > - -------------- > - --- Impact --- > - -------------- > > Samba for Irix is not installed by default on IRIX 6.5 systems. It is an > optional product that can be purchased and installed as "samba_irix". > > To determine the version of IRIX you are running, execute the following > command: > > # /bin/uname -R > > That will return a result similar to the following: > > # 6.5 6.5.19f > > The first number ("6.5") is the release name, the second ("6.5.16f" in this > case) is the extended release name. The extended release name is the > "version" we refer to throughout this document. > > To see if Samba is installed, execute the following command: > > % versions samba_irix > I = Installed, R = Removed > > Name Date Description > > I samba_irix 07/02/2002 Samba 2.2.4 for IRIX > I samba_irix.man 07/02/2002 Samba Online Documentation > I samba_irix.man.doc 07/02/2002 Samba 2.2.4 Documentation > I samba_irix.man.manpages 07/02/2002 Samba 2.2.4 Man Page > I samba_irix.man.relnotes 07/02/2002 Samba 2.2.4 Release Notes > I samba_irix.src 07/02/2002 Samba Source Code > I samba_irix.src.samba 07/02/2002 Samba 2.2.4 Source Code > I samba_irix.sw 07/02/2002 Samba Execution Environment > I samba_irix.sw.base 07/02/2002 Samba 2.2.4 Execution Environment > > If the result is similar to the above and the version shown is less than > 2.2.8a, then the system is vulnerable. > > > - ---------------------------- > - --- Temporary Workaround --- > - ---------------------------- > > Though it is possible to limit exposure by filtering what IPs can talk to > your Samba server, there is no effective workaround to fully address these > problems. SGI recommends upgrading to Samba 2.2.8 and installing patch 5065. > > > - ---------------- > - --- Solution --- > - ---------------- > > SGI has provided a patch for Samba 2.2.8 for this vulnerability. Our > recommendation is to upgrade to Samba 2.2.8 and install the patch. > > Patch 5065 only applies to the samba_irix 2.2.8 package. > This patch will not apply to the freeware versions of samba available from: > http://freeware.sgi.com/ , http://www.samba.org/ and > http://master.samba.org/samba/ftp/Binary_Packages/IRIX/ > > > OS Version Vulnerable? Patch # Other Actions > ---------- ----------- ------- ------------- > IRIX 3.x unknown Note 1 > IRIX 4.x unknown Note 1 > IRIX 5.x unknown Note 1 > IRIX 6.0.x unknown Note 1 > IRIX 6.1 unknown Note 1 > IRIX 6.2 unknown Note 1 > IRIX 6.3 unknown Note 1 > IRIX 6.4 unknown Note 1 > IRIX 6.5 yes 5065 Notes 2 & 3 > IRIX 6.5.1 yes 5065 Notes 2 & 3 > IRIX 6.5.2 yes 5065 Notes 2 & 3 > IRIX 6.5.3 yes 5065 Notes 2 & 3 > IRIX 6.5.4 yes 5065 Notes 2 & 3 > IRIX 6.5.5 yes 5065 Notes 2 & 3 > IRIX 6.5.6 yes 5065 Notes 2 & 3 > IRIX 6.5.7 yes 5065 Notes 2 & 3 > IRIX 6.5.8 yes 5065 Notes 2 & 3 > IRIX 6.5.9 yes 5065 Notes 2 & 3 > IRIX 6.5.10 yes 5065 Notes 2 & 3 > IRIX 6.5.11 yes 5065 Notes 2 & 3 > IRIX 6.5.12 yes 5065 Notes 2 & 3 > IRIX 6.5.13 yes 5065 Notes 2 & 3 > IRIX 6.5.14 yes 5065 Notes 2 & 3 > IRIX 6.5.15 yes 5065 Notes 2 & 3 > IRIX 6.5.16 yes 5065 Notes 2 & 3 > IRIX 6.5.17 yes 5065 Notes 2 & 3 > IRIX 6.5.18 yes 5065 Notes 2 & 3 > IRIX 6.5.19 yes 5065 Notes 2 & 3 > IRIX 6.5.20 yes 5065 Notes 2 & 3 > > NOTES > > 1) This version of the IRIX operating has been retired. Upgrade to an > actively supported IRIX operating system. See http://support.sgi.com > for more information. > > 2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact your > SGI Support Provider or URL: http://support.sgi.com > > 3) If a version of Samba prior to 2.2.8a is installed, the system is > vulnerable and you should upgrade to Samba 2.2.8 and install the patch. > > > ##### Patch File Checksums #### > > The actual patch will be a tar file containing the following files: > > Filename: README.patch.5065 > Algorithm #1 (sum -r): 52833 8 README.patch.5065 > Algorithm #2 (sum): 19672 8 README.patch.5065 > MD5 checksum: FFB8A9F3304A2C9A793C8C8888E4CBD6 > > Filename: patchSG0005065 > Algorithm #1 (sum -r): 21712 2 patchSG0005065 > Algorithm #2 (sum): 7400 2 patchSG0005065 > MD5 checksum: 2A80FB9188A81306441E0530200EC184 > > Filename: patchSG0005065.idb > Algorithm #1 (sum -r): 65085 4 patchSG0005065.idb > Algorithm #2 (sum): 64041 4 patchSG0005065.idb > MD5 checksum: 2A5195E64FC6F093B733CA7C22A7B90C > > Filename: patchSG0005065.samba_irix_src > Algorithm #1 (sum -r): 02420 284 patchSG0005065.samba_irix_src > Algorithm #2 (sum): 29510 284 patchSG0005065.samba_irix_src > MD5 checksum: 2E8049C4A7108726D8BF15026BCDE687 > > Filename: patchSG0005065.samba_irix_sw > Algorithm #1 (sum -r): 16886 2400 patchSG0005065.samba_irix_sw > Algorithm #2 (sum): 34027 2400 patchSG0005065.samba_irix_sw > MD5 checksum: 457451125CFBACF454CE6C990E5CECC0 > > > - ------------------------ > - --- Acknowledgments ---- > - ------------------------ > > SGI wishes to thank The Samba Team and the users of the Internet Community > at large for their assistance in this matter. > > > - ------------- > - --- Links --- > - ------------- > > SGI Security Advisories can be found at: > http://www.sgi.com/support/security/ and > ftp://patches.sgi.com/support/free/security/advisories/ > > SGI Security Patches can be found at: > http://www.sgi.com/support/security/ and > ftp://patches.sgi.com/support/free/security/patches/ > > SGI patches for IRIX can be found at the following patch servers: > http://support.sgi.com/ and ftp://patches.sgi.com/ > > SGI freeware updates for IRIX can be found at: > http://freeware.sgi.com/ > > SGI fixes for SGI open sourced code can be found on: > http://oss.sgi.com/projects/ > > SGI patches and RPMs for Linux can be found at: > http://support.sgi.com/ > > SGI patches for Windows NT or 2000 can be found at: > http://support.sgi.com/ > > IRIX 5.2-6.4 Recommended/Required Patch Sets can be found at: > http://support.sgi.com/ and ftp://patches.sgi.com/support/patchset/ > > IRIX 6.5 Maintenance Release Streams can be found at: > http://support.sgi.com/ > > IRIX 6.5 Software Update CDs can be obtained from: > http://support.sgi.com/ > > The primary SGI anonymous FTP site for security advisories and patches is > patches.sgi.com. Security advisories and patches are located under the URL > ftp://patches.sgi.com/support/free/security/ > > For security and patch management reasons, ftp.sgi.com (mirrors > patches.sgi.com security FTP repository) lags behind and does not do a > real-time update. > > > > - ----------------------------------------- > - --- SGI Security Information/Contacts --- > - ----------------------------------------- > > If there are questions about this document, email can be sent to > security-infoat_private > > ------oOo------ > > SGI provides security information and patches for use by the entire SGI > community. This information is freely available to any person needing the > information and is available via anonymous FTP and the Web. > > The primary SGI anonymous FTP site for security advisories and patches is > patches.sgi.com. Security advisories and patches are located under the URL > ftp://patches.sgi.com/support/free/security/ > > The SGI Security Headquarters Web page is accessible at the URL: > http://www.sgi.com/support/security/ > > For issues with the patches on the FTP sites, email can be sent to > security-infoat_private > > For assistance obtaining or working with security patches, please > contact your SGI support provider. > > ------oOo------ > > SGI provides a free security mailing list service called wiretap and > encourages interested parties to self-subscribe to receive (via email) all > SGI Security Advisories when they are released. Subscribing to the mailing > list can be done via the Web > (http://www.sgi.com/support/security/wiretap.html) or by sending email to > SGI as outlined below. > > % mail wiretap-requestat_private > subscribe wiretap <YourEmailAddress such as aaanalystat_private > > end > ^d > > In the example above, <YourEmailAddress> is the email address that you wish > the mailing list information sent to. The word end must be on a separate > line to indicate the end of the body of the message. The control-d (^d) is > used to indicate to the mail program that you are finished composing the > mail message. > > > ------oOo------ > > SGI provides a comprehensive customer World Wide Web site. This site is > located at http://www.sgi.com/support/security/ . > > ------oOo------ > > If there are general security questions on SGI systems, email can be sent to > security-infoat_private > > For reporting *NEW* SGI security issues, email can be sent to > security-alertat_private or contact your SGI support provider. A support > contract is not required for submitting a security report. > > ______________________________________________________________________________ > This information is provided freely to all interested parties > and may be redistributed provided that it is not altered in any > way, SGI is appropriately credited and the document retains and > includes its valid PGP signature. > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.2 > > iQCVAwUBPpRcUrQ4cFApAP75AQEKMQP+Pp8FTIURkyimzflGu7wRpzKkBtTRBdW7 > 7XiZXWzVqM9Hy46uFkMme5+C6sA3+ah30tx6JZaYJb7mL8wSRMvsitQXF48Bl4Zy > c3rJp7edEpxbhh+c2Wj4xYRLMolRX/lSZ8qAdmZcpOvWaUvTMOZlR6SmoqM1xp5B > JtSTN9YbgG4= > =Tc6B > -----END PGP SIGNATURE----- > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > --------------------------------------------- This message was sent using Endymion MailMan. http://www.endymion.com/products/mailman/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Wed Apr 09 2003 - 18:48:15 PDT