NOTICE: THIS IS A RETRANSMISSION OF ASSIST 93-26. Due to a mailer problem encoutered during the transmission of ASSIST 93-26, which was the initial ASSIST bulletin to be distributed in this manner, we are re-issuing this bulletin after correcting the mailer problem. Those of you who received the initial message may disregard this bulletin, and we ask for your patience as we work to improve our services. <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Automated Systems Security Incident Support Team _____ ___ ___ _____ ___ _____ | / /\ / \ / \ | / \ | | / Integritas / \ \___ \___ | \___ | | < et /____\ \ \ | \ | | \ Celeritas / \ \___/ \___/ __|__ \___/ | |_____\ <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Bulletin 93-26 Initial Release date: 4 October 1993, 09:30 EDT Retransmitted on: 7 October 1993, 14:00 EDT Subject: SGI default settings exploited in recent Internet attacks. BACKGROUND: ASSIST has received reports of unauthorized users gaining access to DoD systems on the Internet by exploiting default installation settings of SGI operating systems. The problems involve default accounts with no passwords, and X-windows settings, which could allow an unauthorized user to obtain access to system resources. Each of these items is addressed in the documentation for these systems, but recent network activity indicates that installation and administration personnel are not aware of this information. ASSIST strongly recommends that the personnel responsible for the security and administration of any information processing system become familiar with all aspects of the configuration, and known vulnerabilities associated with that system. The detailed information listed below that describes procedures to eliminate the specific vulnerabilities mentioned in this bulletin, was obtained from the SGI IRIX Administrators Guide, System Security Chapter. RECOMMENDATION #1: SGI systems will install accounts for the following usernames:"root", "lp", "nuucp", "tutor", "demos", "guest", and "4dgifts", that are not password protected. These accounts should be password protected or disabled immediately after installtion is complete. Some of these accounts provide functionality (i.e. root needed to boot the system, lp needed for printing) and should not be removed without consideration of the effect on system performance and functionality. Accounts such as "guest", however, could be removed without having any detrimental effect on the system. If the decision is made to delete any of the default accounts, the /etc/passwd file must be manually edited, the accounts cannot be removed using the SGI "sysadm" tool. There are two ways to lock an account. The first way is to use the passwd command with the -l option: passwd -l This will change the password field in /etc/passwd for to *LK*. The second way to lock an account is by editing the password file directly, and changing the password field for to any string of characters not used by the program that encrypts passwords. The passwd -l option, for example, uses the string *LK*. RECOMMENDATION #2: If you are using SGI X-windows, and have this option set as "xhost +", the potential exists for anyone on the network to remotely gain unauthorized access to your system. To ensure that you only allow X-window access from selected hosts, you should do the following: a. create (or edit if it already exists) the file "/etc/Xn.hosts", where"n" is the display number (normally 0, /etc/X0.hosts), and add the line:+localhost, or your host's name (see the "xhost" man page for details). b. For some X servers, there may be files in /usr/lib/X11/xdm which contain lines similar to the following entry extracted from the SGI Iris system: # Gives anyone on any host access to this display /usr/bin/X11/xhost + These lines should be commented out or removed from all files in which they exist. For SGI Iris, these files are: /usr/lib/X11/xdm/Xsession /usr/lib/X11/xdm/Xsession-remote /usr/lib/X11/xdm/Xsession.O c. Any "xhost" commands in user startup scripts (.cshrc, .login, .profile, etc) should be removed or commented out. d. After all changes have been made, you should: - reboot your machine to ensure that the changes take effect - change all passwords for every user who may have been affected. Note: If this vulnerability existed on your system, the possibility exists that passwords on remote machines may also have been compromised. e. Test the new system by trying to use its display from a remote machine which is not listed as an xhost, for example: setenv DISPLAY yourhostname:0 /usr/bin/X11/xterm you should get the message: Xlib: connection to "(your hostname)" refused by server Xlib: Client is not authorized to connect to Server ASSIST is an element of the Defense Information Systems Agency (DISA), Center for Information Systems Security (CISS), that provides service to the entire DoD community. If you have any questions about ASSIST or computer security issues, contact ASSIST using one of the methods listed below. If you would like to be included in the distribution list for these bulletins, send your Milnet (Internet) e-mail address to assist-request@assist.ims.disa.mil. Back issues of ASSIST bulletins are available on the ASSIST bbs (see below), and through anonymous ftp from assist.ims.disa.mil. ASSIST contact information: PHONE: 703-756-7974, DSN 289, duty hours are 06:30 to 17:00 Monday through Friday. During off duty hours, weekends, and holidays, ASSIST can be reached via pager at 800-SKY-PAGE (800-759-7243) PIN 2133937. Your page will be answered within 30 minutes, however if a quicker response is required, prefix your phone number with "999" and ASSIST will return your call within 5 minutes. Electronic mail: assist@assist.ims.disa.mil. ASSIST BBS: 703-756-7993/4, DSN 289, leave a message for the "sysop". Privacy Enhanced Mail (PEM): ASSIST uses PEM, a public key encryption tool, to digitally sign all bulletins that are distributed through e-mail. The section of seemingly random characters between the "BEGIN PRIVACY-ENHANCED MESSAGE" and "BEGIN ASSIST BULLETIN" contains machine-readable digital signature information generated by PEM, not corrupted data. Recipients of ASSIST bulletins who use PEM will be able to verify with a very high level of assurance that the information originated from ASSIST. PEM is compatible with all e-mail implementations available on the Milnet, and sites not using PEM will still be able to read bulletins that have PEM digital signatures. Information about PEM can be obtained via anonymous ftp from nic.ddn.mil (IP 192.112.36.5) in the /rfc directory files rfc1421.txt, rfc1422.txt, rfc1423.txt, and rfc1424.txt. These files can also be downloaded from the ASSIST bbs. PEM software for UNIX systems is available from Trusted Information Systems (TIS) at no cost, and can be obtained via anonymous FTP from ftp.tis.com (IP 192.94.214.100). Note: The TIS software is just one of several implementations of PEM currently available and additional versions are likely to be offered from other sources in the near future.