{"vuid":"VU#521147","idnumber":"521147","name":"SGI IRIX rpc.xfsmd uses weak authentication mechanism for RPC authentication","keywords":["SGI","IRIX","rpc.xfsmd","weak authentication","AUTH_UNIX","RPC authentication"],"overview":"The XFS file system on SGI systems allows anonymous remote users to call xfs-related RPC functions.","clean_desc":"XFS is a 64-bit compliant journaling file system. The XFS journaling filesystem daemon (rpc.xfsmd) on SGI systems uses the default AUTH_UNIX authentication mechanism (a client-based security option) for its RPC service. This means the rpc.xfsmd daemon trusts that the remote system calling its RPC interface has already authenticated the remote client process via standard UNIX user id mechanisms (i.e., if a daemon only allows UID 0 [root] access to its RPC interface, it trusts remote RPC clients to be running with UID 0 [root] privileges). As a result, any remote system able to forge UID 0 in its RPC call to vulnerable SGI rpc.xfsmd daemons can bypass the RPC authentication mechanism altogether. When exploited in conjunction with VU#195371, this could lead to the execution of arbitrary commands on vulnerable SGI systems.","impact":"A remote attacker can bypass the default AUTH_UNIX authentication mechanism for this RPC service, allowing anonymous RPC function calls","resolution":"SGI has reported they will not be providing a patch for this issue. Sites are strongly urged to disable the XFS daemon and related subsystems as soon as their service requirements permit.","workarounds":"Per SGI Security Advisory 20020606-02-I: There is no effective workaround available for these problems. SGI recommends either disabling or uninstalling the product. To disable the product from running, perform the following steps: # killall /usr/etc/xfsmd\n  # vi /etc/inetd.conf Look for a line in inetd.conf that looks like this: sgi_xfsmd/1 stream  rpc/tcp wait    root    ?/usr/etc/xfsmd     xfsmd ...and comment it out by putting a \"#\" at the beginning of the line: #sgi_xfsmd/1 stream  rpc/tcp wait    root    ?/usr/etc/xfsmd     xfsmd ...or simply remove the line from the file. # killall -HUP inetd To remove the product from the system, perform the following command: # versions remove eoe.sw.xfsmserv","sysaffected":"","thanks":"Last Stage of Delirium has reported this vulnerability in several public forums.","author":"This document was written by Jeffrey S. Havrilla.","public":["ftp://patches.sgi.com/support/free/security/advisories/20020606-02-I","http://www.securityfocus.com/bid/5075","http://www.iss.net/security_center/static/9401.php","http://oss.sgi.com/projects/xfs/","http://www.sgi.com/software/xfs/"],"cveids":["CVE-2002-0359"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2002-06-20T17:11:18Z","publicdate":"2002-06-20T00:00:00Z","datefirstpublished":"2002-08-08T22:20:31Z","dateupdated":"2002-08-08T22:20:36Z","revision":15,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"20","cam_exploitation":"15","cam_internetinfrastructure":"4","cam_population":"5","cam_impact":"12","cam_easeofexploitation":"16","cam_attackeraccessrequired":"15","cam_scorecurrent":"10.53","cam_scorecurrentwidelyknown":"10.53","cam_scorecurrentwidelyknownexploited":"11.88","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":10.53,"vulnote":null}