Original release date: July 19, 1999<BR> Last revised: --<BR> Source: CERT/CC<BR> <P>A complete revision history is at the end of this file. <H3>Systems Affected</H3> <UL> <LI>IRIX systems running the Array Services daemon <LI>UNICOS systems running the Array Services daemon </UL> <H2>I. Description</H2> <P>A vulnerability has been discovered in the default configuration of the Array Services daemon, arrayd. Array Services are used to manage a cluster of systems. The default configuration file, arrayd.auth, disables authentication and does not provide adequate protection for systems connected to an untrusted network. <P>SGI has published the following document describing the vulnerability and solutions: <DL><DD> <A HREF="ftp://sgigate.sgi.com/security/19990701-01-P"> ftp://sgigate.sgi.com/security/19990701-01-P</A> </DL> <H2>II. Impact</H2> <P>On systems installed with the default configuration, remote and local users can execute arbitrary commands as root. <H2>III. Solution</H2> <P><B>Use "SIMPLE" authentication</B> <P>Reconfigure arrayd to use "SIMPLE" authentication. For more information about reconfiguring arrayd, please see the <A HREF="ftp://sgigate.sgi.com/security/19990701-01-P"> SGI security bulletin</A>. <P><B>Disable the arrayd daemon</B> <P>If you do not need the capabilities provided by the arrayd daemon, you may wish to disable the daemon. <HR NOSHADE> <P>The CERT Coordination Center would like to thank Yuri Volobuev and the SGI Security Team for their assistance in preparing this advisory. <p><!--#include virtual="/include/footer_nocopyright.html" --> </p> <p>Copyright 1999 Carnegie Mellon University.</p> <HR> Revision History <PRE> July 19, 1999: Initial release </PRE> |