-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
            AUSCERT External Security Bulletin Redistribution
                                    
                                    
             ESB-98.099 -- SGI Security Advisory 19980601-01-PX
                      OSF/DCE Denial of Service Attack
                                17 June 1998

===========================================================================

Silicon Graphics Inc. has released the following advisory concerning
a buffer overflow which has been discovered with the Distributed
Computing Environment (DCE) security daemon (secd) causing it to core
dump and no longer accept connections.  Silicon Graphic's implementation
of OSF/DCE is vulnerable to this denial of service attack.

The following security bulletin is provided as a service to AusCERT's
members.  As AusCERT did not write this document, AusCERT has had no
control over its content.  As such, the decision to use any or all of this
information is the responsibility of each user or organisation, and should
be done so in accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It will
not be updated when the original bulletin is.  If downloading at a later
date, it is recommended that the bulletin is retrieved from the original
authors to ensure that the information is still current.

Contact information for SGI is included in the Security Bulletin below.
If you have any questions or need further information, please contact them
directly.

Previous advisories and external security bulletins can be retrieved from:

	http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.


- ------------------------BEGIN INCLUDED TEXT-----------------------

- -----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________
                Silicon Graphics Inc. Security Advisory

        Title:   OSF/DCE Denial of Service Attack
        Title:   CERT VB-97.12
        Number:  19980601-01-PX
        Date:    June, 16 1998
______________________________________________________________________________

Silicon Graphics provides this information freely to the SGI user community
for its consideration, interpretation, implementation and use.   Silicon
Graphics recommends that this information be acted upon as soon as possible.

Silicon Graphics provides the information in this Security Advisory on
an "AS-IS" basis only, and disclaims all warranties with respect thereto,
express, implied or otherwise, including, without limitation, any warranty
of merchantability or fitness for a particular purpose.  In no event shall
Silicon Graphics be liable for any loss of profits, loss of business, loss
of data or for any indirect, special, exemplary, incidental or consequential
damages of any kind arising from your use of, failure to use or improper
use of any of the instructions or information in this Security Advisory.
______________________________________________________________________________

- - -----------------------
- - --- Issue Specifics ---
- - -----------------------

The Open Group has released an advisory via CERT concerning a buffer overflow
which has been discovered with Distributed Computing Environment (DCE)
security demon (secd) causing it core dump and no longer accept connections.

Silicon Graphic's implementation of OSF/DCE is vulnerable to this denial of
service attack.

Silicon Graphics Inc. has investigated the issue and recommends the
following steps for neutralizing the exposure.  It is HIGHLY RECOMMENDED
that these measures be implemented on ALL vulnerable SGI systems.

This issue will be corrected in future releases of Silicon Graphic's OSF/DCE
implementation.


- - --------------
- - --- Impact ---
- - --------------

Any Silicon Graphics System that has purchased OSF/DCE and installed it on
IRIX 5.3, 6.2, 6.3 or 6.4, is vulnerable to this denial of service attack.

The denial of service attack can be performed locally and remotely and without
the use of a local account on the system.

Information on the denial of service attack has been posted as a CERT Vendor
Bulletin from the Open Group and can be found at:

ftp://ftp.cert.org/pub/cert_bulletins/VB-97.12.opengroup


- - ----------------
- - --- Solution ---
- - ----------------

Upgrade to OSF/DCE & DFS 1.1C and install the following patches from the
December 1997 or later Recommended/Required Patch Set:


   OS Version     Vulnerable?     Patch #      Other Actions
   ----------     -----------     -------      -------------

   IRIX 3.x          no
   IRIX 4.x          no
   IRIX 5.0.x        no
   IRIX 5.1.x        no
   IRIX 5.2          no
   IRIX 5.3          yes         not avail     see Note 1
   IRIX 6.0.x        no
   IRIX 6.1          no
   IRIX 6.2          yes        2678 or 2679   see Note 2
   IRIX 6.3          yes        2680 or 2681   see Note 2
   IRIX 6.4          yes        2682 or 2683   see Note 2


   NOTES

     1) Upgrade operating system.

     2) Patches 2679, 2681 and 2683 are for the U.S. domestic version of
        OSF/DCE & DFS 1.1C and are not available from the standard SGI patch
        sources because they include strong encryption which cannot be exported
        outside of the United States without authorization.  All U.S. customers
        who have purchased Silicon Graphic's U.S. domestic implementation of
        the OSF/DCE & DFS 1.1C should have received an SGI patch CD which
        contains these restricted patches. Please contact your U.S. SGI support
        provider if you have not received this patch CD:

        SC4-DCEDOM-1.1C   DCE Domestic Security Module 1.1C Patch CD


Patches are available via anonymous FTP and your service/support provider.

The SGI anonymous FTP site is sgigate.sgi.com (204.94.209.1) or its
mirror, ftp.sgi.com.   Security information and patches can be found
in the ~ftp/security and ~ftp/patches directories, respectfully.



                 ##### Patch File Checksums ####

The actual patch will be a tar file containing the following files:

Filename:                 README.patch.2678
Algorithm #1 (sum -r):    03340 18 README.patch.2678
Algorithm #2 (sum):       44196 18 README.patch.2678
MD5 checksum:             3925265EE23DEACDD2421F1B332D6138

Filename:                 patchSG0002678
Algorithm #1 (sum -r):    29356 8 patchSG0002678
Algorithm #2 (sum):       28887 8 patchSG0002678
MD5 checksum:             8F70D3A0A297F21DB47A89C6522216AC

Filename:                 patchSG0002678.DCE_hdr
Algorithm #1 (sum -r):    29460 8 patchSG0002678.DCE_hdr
Algorithm #2 (sum):       21868 8 patchSG0002678.DCE_hdr
MD5 checksum:             FB225D06B2C3388C90AEDEA602C47E9C

Filename:                 patchSG0002678.DCE_sw
Algorithm #1 (sum -r):    01092 20273 patchSG0002678.DCE_sw
Algorithm #2 (sum):       38822 20273 patchSG0002678.DCE_sw
MD5 checksum:             F431CAD81201422515E5657F404D9A9E

Filename:                 patchSG0002678.DCE_sw32
Algorithm #1 (sum -r):    32696 5828 patchSG0002678.DCE_sw32
Algorithm #2 (sum):       50088 5828 patchSG0002678.DCE_sw32
MD5 checksum:             69D82184EFE0C90B42E3580EE8C12C3F

Filename:                 patchSG0002678.DCE_sw64
Algorithm #1 (sum -r):    49268 6303 patchSG0002678.DCE_sw64
Algorithm #2 (sum):       46879 6303 patchSG0002678.DCE_sw64
MD5 checksum:             327E6C8AA4EA66D28D9B4F4BA2C1C29E

Filename:                 patchSG0002678.DFS_sw
Algorithm #1 (sum -r):    57135 33041 patchSG0002678.DFS_sw
Algorithm #2 (sum):       19241 33041 patchSG0002678.DFS_sw
MD5 checksum:             E304E1471272D29DEBDEF2C92B1F507E

Filename:                 patchSG0002678.idb
Algorithm #1 (sum -r):    18177 24 patchSG0002678.idb
Algorithm #2 (sum):       34402 24 patchSG0002678.idb
MD5 checksum:             9732B977851307A76D0A41915446AFD3

Filename:                 README.patch.2679
Algorithm #1 (sum -r):    12911 18 README.patch.2679
Algorithm #2 (sum):       45218 18 README.patch.2679
MD5 checksum:             0372E330C0F36F21BE1B18104B35764A

Filename:                 patchSG0002679
Algorithm #1 (sum -r):    21166 4 patchSG0002679
Algorithm #2 (sum):       4443 4 patchSG0002679
MD5 checksum:             1EF8D675D4970C3680ABF3F172707A18

Filename:                 patchSG0002679.DCE_domestic_sw
Algorithm #1 (sum -r):    00651 6058 patchSG0002679.DCE_domestic_sw
Algorithm #2 (sum):       2779 6058 patchSG0002679.DCE_domestic_sw
MD5 checksum:             58DBF50346C7C061B880307FC93F529B

Filename:                 patchSG0002679.DCE_domestic_sw32
Algorithm #1 (sum -r):    60926 5912 patchSG0002679.DCE_domestic_sw32
Algorithm #2 (sum):       30244 5912 patchSG0002679.DCE_domestic_sw32
MD5 checksum:             542C70B9A9E9AB67B692797C027B03B5

Filename:                 patchSG0002679.DCE_domestic_sw64
Algorithm #1 (sum -r):    42845 6378 patchSG0002679.DCE_domestic_sw64
Algorithm #2 (sum):       3556 6378 patchSG0002679.DCE_domestic_sw64
MD5 checksum:             7AAF218B85F599616F0177AA0EB33EA6

Filename:                 patchSG0002679.DFS_domestic_sw
Algorithm #1 (sum -r):    01958 26147 patchSG0002679.DFS_domestic_sw
Algorithm #2 (sum):       40763 26147 patchSG0002679.DFS_domestic_sw
MD5 checksum:             16AC2AB4DAADB7FC858E17E04A2EBB80

Filename:                 patchSG0002679.idb
Algorithm #1 (sum -r):    32131 10 patchSG0002679.idb
Algorithm #2 (sum):       7644 10 patchSG0002679.idb
MD5 checksum:             A32549C1EB308E2E60691C5E0D5F4AE3

Filename:                 README.patch.2680
Algorithm #1 (sum -r):    07341 17 README.patch.2680
Algorithm #2 (sum):       27764 17 README.patch.2680
MD5 checksum:             426FB2F07E7D475A6041082D4ABF2C88

Filename:                 patchSG0002680
Algorithm #1 (sum -r):    41854 8 patchSG0002680
Algorithm #2 (sum):       12427 8 patchSG0002680
MD5 checksum:             E1FDE5E34BDA47AC2F49A84F90480D34

Filename:                 patchSG0002680.DCE_hdr
Algorithm #1 (sum -r):    38241 74 patchSG0002680.DCE_hdr
Algorithm #2 (sum):       46233 74 patchSG0002680.DCE_hdr
MD5 checksum:             C1AFA1041993291393C9D2E695D11A57

Filename:                 patchSG0002680.DCE_sw
Algorithm #1 (sum -r):    15573 21331 patchSG0002680.DCE_sw
Algorithm #2 (sum):       54145 21331 patchSG0002680.DCE_sw
MD5 checksum:             B18761B8BD7C8D2132D66E163E7A9A03

Filename:                 patchSG0002680.DCE_sw32
Algorithm #1 (sum -r):    53311 5838 patchSG0002680.DCE_sw32
Algorithm #2 (sum):       10596 5838 patchSG0002680.DCE_sw32
MD5 checksum:             247FAC6371C9F16EED37ED2ADA18C6FA

Filename:                 patchSG0002680.DCE_sw64
Algorithm #1 (sum -r):    08341 6318 patchSG0002680.DCE_sw64
Algorithm #2 (sum):       24100 6318 patchSG0002680.DCE_sw64
MD5 checksum:             922CF0068BF93FF6B2AEEDF7791CF19D

Filename:                 patchSG0002680.DFS_sw
Algorithm #1 (sum -r):    60299 10516 patchSG0002680.DFS_sw
Algorithm #2 (sum):       16894 10516 patchSG0002680.DFS_sw
MD5 checksum:             8C41AE6B8F34F21CC213307E936D0E7E

Filename:                 patchSG0002680.idb
Algorithm #1 (sum -r):    21012 19 patchSG0002680.idb
Algorithm #2 (sum):       49791 19 patchSG0002680.idb
MD5 checksum:             5F9B2EFBD7382D1E9C805C4AB39790AC
Filename:                 README.patch.2681
Algorithm #1 (sum -r):    37820 17 README.patch.2681
Algorithm #2 (sum):       23466 17 README.patch.2681
MD5 checksum:             BF90D4120752681AA8CC85E30D8F9B2C

Filename:                 patchSG0002681
Algorithm #1 (sum -r):    06707 4 patchSG0002681
Algorithm #2 (sum):       52425 4 patchSG0002681
MD5 checksum:             D8B53358819662E4F37756EDCBC46E04

Filename:                 patchSG0002681.DCE_domestic_sw
Algorithm #1 (sum -r):    52817 6060 patchSG0002681.DCE_domestic_sw
Algorithm #2 (sum):       13736 6060 patchSG0002681.DCE_domestic_sw
MD5 checksum:             B83F91BF6788F1CF5EF4118B259B3651

Filename:                 patchSG0002681.DCE_domestic_sw32
Algorithm #1 (sum -r):    02189 5909 patchSG0002681.DCE_domestic_sw32
Algorithm #2 (sum):       26545 5909 patchSG0002681.DCE_domestic_sw32
MD5 checksum:             3494E5F01F246CCAC8F98299B5A0FC06

Filename:                 patchSG0002681.DCE_domestic_sw64
Algorithm #1 (sum -r):    05410 6378 patchSG0002681.DCE_domestic_sw64
Algorithm #2 (sum):       3477 6378 patchSG0002681.DCE_domestic_sw64
MD5 checksum:             57D90B48AF707EF1C494AEFF621D76B6

Filename:                 patchSG0002681.DFS_domestic_sw
Algorithm #1 (sum -r):    37813 3102 patchSG0002681.DFS_domestic_sw
Algorithm #2 (sum):       10135 3102 patchSG0002681.DFS_domestic_sw
MD5 checksum:             9098B23B1C947FEF6C6E3282D7C12BC8

Filename:                 patchSG0002681.idb
Algorithm #1 (sum -r):    48063 4 patchSG0002681.idb
Algorithm #2 (sum):       34347 4 patchSG0002681.idb
MD5 checksum:             0C25153F4F015AC9ABE43AEE37EBE560

Filename:                 README.patch.2682
Algorithm #1 (sum -r):    36320 16 README.patch.2682
Algorithm #2 (sum):       25472 16 README.patch.2682
MD5 checksum:             FBD4E422418F1C04BE834B01DA32A956

Filename:                 patchSG0002682
Algorithm #1 (sum -r):    44327 6 patchSG0002682
Algorithm #2 (sum):       3707 6 patchSG0002682
MD5 checksum:             CB79E4CD6C3D177F4C2F9DC4F2A4C31F

Filename:                 patchSG0002682.DCE_hdr
Algorithm #1 (sum -r):    34388 1 patchSG0002682.DCE_hdr
Algorithm #2 (sum):       9815 1 patchSG0002682.DCE_hdr
MD5 checksum:             DFDD445FF99356C86CFBF4C4BAF7F4AB

Filename:                 patchSG0002682.DCE_sw
Algorithm #1 (sum -r):    56190 16020 patchSG0002682.DCE_sw
Algorithm #2 (sum):       52603 16020 patchSG0002682.DCE_sw
MD5 checksum:             A9D064BA7D97E4AFDBEDA8BB0428A767

Filename:                 patchSG0002682.DCE_sw32
Algorithm #1 (sum -r):    26046 6099 patchSG0002682.DCE_sw32
Algorithm #2 (sum):       41071 6099 patchSG0002682.DCE_sw32
MD5 checksum:             73B1042595A90F900B7B4838CA5181DA

Filename:                 patchSG0002682.DCE_sw64
Algorithm #1 (sum -r):    06103 6370 patchSG0002682.DCE_sw64
Algorithm #2 (sum):       63088 6370 patchSG0002682.DCE_sw64
MD5 checksum:             FD8A1B2D30FDA797B995117BF140FC55

Filename:                 patchSG0002682.DFS_sw
Algorithm #1 (sum -r):    56717 9573 patchSG0002682.DFS_sw
Algorithm #2 (sum):       64974 9573 patchSG0002682.DFS_sw
MD5 checksum:             226707FB10F844E2CB4F30595AC70FD8

Filename:                 patchSG0002682.idb
Algorithm #1 (sum -r):    10563 16 patchSG0002682.idb
Algorithm #2 (sum):       26825 16 patchSG0002682.idb
MD5 checksum:             FF387CDB1EE4EF8F9376A850AB2F8379

Filename:                 README.patch.2683
Algorithm #1 (sum -r):    32338 15 README.patch.2683
Algorithm #2 (sum):       21219 15 README.patch.2683
MD5 checksum:             0DF1BDCD671FA2E03A58C9838A680928

Filename:                 patchSG0002683
Algorithm #1 (sum -r):    58679 4 patchSG0002683
Algorithm #2 (sum):       56375 4 patchSG0002683
MD5 checksum:             F255015A5340CD34B0D707D396FD6D6B

Filename:                 patchSG0002683.DCE_domestic_sw
Algorithm #1 (sum -r):    25494 5598 patchSG0002683.DCE_domestic_sw
Algorithm #2 (sum):       54032 5598 patchSG0002683.DCE_domestic_sw
MD5 checksum:             D54E04B44F4385167E3E93B7CC694D5F

Filename:                 patchSG0002683.DCE_domestic_sw32
Algorithm #1 (sum -r):    50283 6197 patchSG0002683.DCE_domestic_sw32
Algorithm #2 (sum):       62501 6197 patchSG0002683.DCE_domestic_sw32
MD5 checksum:             B611492E5C9731F095BC21D580405B33

Filename:                 patchSG0002683.DCE_domestic_sw64
Algorithm #1 (sum -r):    28076 6442 patchSG0002683.DCE_domestic_sw64
Algorithm #2 (sum):       6953 6442 patchSG0002683.DCE_domestic_sw64
MD5 checksum:             A81BBDA039240C9EF751557A8D707FE0

Filename:                 patchSG0002683.DFS_domestic_sw
Algorithm #1 (sum -r):    20332 3263 patchSG0002683.DFS_domestic_sw
Algorithm #2 (sum):       63172 3263 patchSG0002683.DFS_domestic_sw
MD5 checksum:             E24CE4010A087AF805253C5BCCF6A325

Filename:                 patchSG0002683.idb
Algorithm #1 (sum -r):    30870 4 patchSG0002683.idb
Algorithm #2 (sum):       34408 4 patchSG0002683.idb
MD5 checksum:             991B340AFDE13737FA40F584D4854989


- - ------------------------
- - --- Acknowledgments ---
- - ------------------------

Silicon Graphics wishes to thank the the CERT Coordination Center for their
assistance in this matter.


- - -----------------------------------------------------------
- - --- Silicon Graphics Inc. Security Information/Contacts ---
- - -----------------------------------------------------------

If there are questions about this document, email can be sent to
cse-security-alert@sgi.com.

                      ------oOo------

Silicon Graphics provides security information and patches for
use by the entire SGI community.  This information is freely
available to any person needing the information and is available
via anonymous FTP and the Web.

The primary SGI anonymous FTP site for security information and patches
is sgigate.sgi.com (204.94.209.1).  Security information and patches
are located under the directories ~ftp/security and ~ftp/patches,
respectively. The Silicon Graphics Security Headquarters Web page is
accessible at the URL http://www.sgi.com/Support/security/security.html.

For issues with the patches on the FTP sites, email can be sent to
cse-security-alert@sgi.com.

For assistance obtaining or working with security patches, please
contact your SGI support provider.

                      ------oOo------

Silicon Graphics provides a free security mailing list service
called wiretap and encourages interested parties to self-subscribe
to receive (via email) all SGI Security Advisories when they are
released. Subscribing to the mailing list can be done via the Web
(http://www.sgi.com/Support/security/wiretap.html) or by sending email
to SGI as outlined below.

% mail wiretap-request@sgi.com
subscribe wiretap <YourEmailAddress>
end
^d

In the example above, <YourEmailAddress> is the email address that you
wish the mailing list information sent to.  The word end must be on a
separate line to indicate the end of the body of the message. The
control-d (^d) is used to indicate to the mail program that you are
finished composing the mail message.


                      ------oOo------

Silicon Graphics provides a comprehensive customer World Wide Web site.
This site is located at http://www.sgi.com/Support/security/security.html.

                      ------oOo------

For reporting *NEW* SGI security issues, email can be sent to
security-alert@sgi.com or contact your SGI support provider.  A
support contract is not required for submitting a security report.

______________________________________________________________________________
  This information is provided freely to all interested parties and may
  be redistributed provided that it is not altered in any way, Silicon
  Graphics is appropriately credited and the document retains and
  includes its valid PGP signature.


- -----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNYawbbQ4cFApAP75AQFqPAP/UzEcvdjhYI0Er3qyyD6TFY+XdI6SGozh
2VYWp/SynZ5LSiL6RJ25RXBuNZVWYwOxnj/UtxGTOi2bdUtW+EnzEtdOQpeTXrk+
Z5trfGVOr0w3vQdzwPC9HQ9YCC6qFTsGoR3cZC7rnpEdd3BqDCbPhG9reO0Tk9v8
W60B5v7c2M4=
=ea2s
- -----END PGP SIGNATURE-----

- -------------------------END INCLUDED TEXT------------------------

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBNZfB1Ch9+71yA2DNAQHG7QP+JGFqqNLWdGBx8iWi/pBsFihPX0wmLZYt
gtOg6Jpz2LrQF5Y/U06ZBtxiyNVDni1qGcCWbu61Fn/d33JxXBmBwvIM54LzfyfC
xuoYqQ/LNfvSrroF+C7Gte6vA+PkNOrSegRMhFMdWfZvyABEyp/J7eDF41WP/dhv
e7lrRvlQbQ0=
=PI3h
-----END PGP SIGNATURE-----