objectserver vulnerability
CVE 2000-0245
Impact
A vulnerability in the IRIX objectserver daemon could allow a remote
attacker to create user accounts on the system.
Background
IRIX systems prior to version 6.3 contain a package of system
administration tools called Cadmin.
The IRIX objectserver daemon manages Cadmin objects such as tapes,
CDs, and user accounts.
The Problem
The objectserver daemon contains a vulnerability which could allow
a remote attacker to create user accounts on the system. Only
unprivileged user accounts could be created, but a skilled attacker
can often find a way to gain root access after gaining user access.
IRIX versions 5.0 through 6.2 have this vulnerability. Later versions
do not have the Cadmin utilities and therefore are not affected.
Resolution
If the Cadmin utilities are not needed, then disable the objectserver
daemon. This can be done by entering the following commands
when logged in as root:
# /sbin/chkconfig objectserver off
# /etc/init.d/cadmin stop; /etc/init.d/cadmin start
Note that the Cadmin utilities cannot be used if the objectserver
is disabled. If these utilities are needed, apply an appropriate
patch instead of disabling the objectserver daemon. Patch information is
available from
CIAC Bulletin K-030.
Where can I read more about this?
More information about this vulnerability is
available from
CIAC Bulletin K-030.