Original release date: July 19, 1999<BR>
Last revised: --<BR>
Source: CERT/CC<BR>

<P>A complete revision history is at the end of this file.

<H3>Systems Affected</H3>

<UL>
<LI>IRIX systems running the Array Services daemon
<LI>UNICOS systems running the Array Services daemon
</UL>

<H2>I. Description</H2>

<P>A vulnerability has been discovered in the default configuration of
the Array Services daemon, arrayd.  Array Services are used to manage
a cluster of systems.  The default configuration file, arrayd.auth,
disables authentication and does not provide adequate protection for
systems connected to an untrusted network.

<P>SGI has published the following document describing the
vulnerability and solutions:

  <DL><DD>
  <A HREF="ftp://sgigate.sgi.com/security/19990701-01-P">
  ftp://sgigate.sgi.com/security/19990701-01-P</A>
  </DL>

<H2>II. Impact</H2>

<P>On systems installed with the default configuration, remote and
local users can execute arbitrary commands as root.

<H2>III. Solution</H2>

<P><B>Use "SIMPLE" authentication</B>

<P>Reconfigure arrayd to use "SIMPLE" authentication.  For more
information about reconfiguring arrayd, please see the 
<A HREF="ftp://sgigate.sgi.com/security/19990701-01-P">
SGI security bulletin</A>.

<P><B>Disable the arrayd daemon</B>

<P>If you do not need the capabilities provided by the arrayd daemon,
you may wish to disable the daemon.

<HR NOSHADE>

<P>The CERT Coordination Center would like to thank Yuri Volobuev and
the SGI Security Team for their assistance in preparing this advisory.

<p><!--#include virtual="/include/footer_nocopyright.html" --> </p>

<p>Copyright 1999 Carnegie Mellon University.</p>

<HR>

Revision History
<PRE>
July 19, 1999:  Initial release
</PRE>