COMMAND

    Embedded Support Partner Infrastructure Sender (rpc.espd)

SYSTEMS AFFECTED

    IRIX 6.5.5, 6.5.8

PROBLEM

    Following is based  on a ISS  Security Advisory.   ISS X-Force has
    discovered  a  buffer  overflow  in  the rpc.espd component of the
    Embedded Support Partner  (ESP) subsystem.   ESP is installed  and
    enabled by default on all current SGI IRIX installations.

    A local account is not required to exploit this vulnerability.

    ESP was developed  by SGI to  address the concerns  of many system
    administrators who needed to manage large-scale SGI  environments.
    ESP allows administrators  better access to  information regarding
    the state  of all  SGI devices  on a  network.   It integrates and
    correlates  system  configuration  management,  event  management,
    resource management, reporting, statistics generation and analysis
    as well as many other features.

    ESP was first introduced in  IRIX version 6.5.5.  The  ESP daemon,
    rpc.espd,  contains  a  buffer  overflow  condition that may allow
    remote attackers  to execute  arbitrary commands  with super  user
    privileges on the target server.

    This vulnerability was discovered  and researched by Mark  Dowd of
    ISS X-Force.

SOLUTION

    SGI recommends immediately disabling rpc.espd to prevent  exposure
    before patches can be applied.  To disable rpc.espd:

        # /bin/chmod -x /usr/etc/rpc.espd
        # /etc/killall -HUP inetd

    SGI  has  made  security  patch  4123  available  to  address this
    vulnerability.

    This issue has been corrected in ESP 2.0 for IRIX 6.5.9 and above.