[30] in Security FYI
current attacks on MIT Irix systems via autofsd
daemon@ATHENA.MIT.EDU (mhpower@MIT.EDU)
Fri Jan 7 16:59:18 2000
From: mhpower@MIT.EDU
Date: Fri, 7 Jan 2000 16:59:09 -0500
Message-Id: <200001072159.QAA09644@the-oz.mit.edu>
To: security-fyi@MIT.EDU
Reply-To: net-security@MIT.EDU
There have been some recent reports of root compromises on SGI Irix
systems at MIT, with the compromise apparently occurring due to a
vulnerability in the autofsd program. It is likely a very good idea to
temporarily stop running autofsd on all Irix systems until a security
patch for this new vulnerability is provided by SGI. The specific
exploit program in use may be one that is not yet publicly
available. There is some discussion of the vulnerability at:
http://www.mit.edu:8008/menelaus/bt/12332
This is believed to be a different vulnerability than the one
announced by SGI on 22 October 1998 in their security advisory
ftp://sgigate.sgi.com/security/19981005-01-A
However, the instructions provided in that advisory about shutting
off autofsd provide a useful workaround for the current security
issue. Please refer to that advisory for the specific configuration
steps, which include the command "chkconfig autofs off". If you
are not able to reboot your system right away, you may want to
use the command "/sbin/killall -k 10 autofs autofsd" to eliminate
the running processes associated with the autofs service.
Later today, there may be some more detailed information about this
security issue available on the web page
http://web.mit.edu/net-security/www/fyi/fyi-2000-001-autofsd.html
Matt Power
Network Security team, MIT Information Systems
