__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Buffer Overflow Vulnerability in Solaris X Window Font Service
[CERT Advisory CA-2002-34]
December 12, 2002 20:00 GMT Number N-024
______________________________________________________________________________
PROBLEM: The Solaris X Window Font Service (XFS) daemon (fs.auto)
contains a remotely exploitable buffer overflow vulnerability
that could allow an attacker to execute arbitrary code or cause
a denial of service.
PLATFORM: Multiple vendor products might be affected when used in
conjunction with the Solaris X Window Font Service (XFS) daemon
(fs.auto).
DAMAGE: A remote attacker can execute arbitrary code with the
privileges of the fs.auto daemon (typically run as "nobody") or
cause a denial of service by crashing the service.
SOLUTION: Check with your vendor for platform-specific patches or other
solutions. Until patches become available and can be applied,
you may wish to disable the XFS daemon (fs.auto).
______________________________________________________________________________
VULNERABILITY The risk is HIGH. The XFS daemon is installed and running by
ASSESSMENT: default on all versions of the Solaris operating system. A
remote attacker could potentially gain control of a target
machine and execute arbitraty code.
______________________________________________________________________________
LINKS:
CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/n-024.shtml
ORIGINAL BULLETIN: http://www.cert.org/advisories/CA-2002-34.html
Monitor the CERT Advisory for vendor updates.
______________________________________________________________________________
[***** Start CERT Advisory CA-2002-34 *****]
CERTŪ Advisory CA-2002-34 Buffer
Overflow in Solaris X Window Font Service
Original release date: November 25, 2002
Last revised: Wed Dec 11 14:30:06 EST 2002
Source: CERT/CC
A complete revision history can be found at the end of this file.
Systems Affected
Sun Microsystems Solaris 2.5.1 (Sparc/Intel)
Sun Microsystems Solaris 2.6 (Sparc/Intel)
Sun Microsystems Solaris 7 (Sparc/Intel)
Sun Microsystems Solaris 8 (Sparc/Intel)
Sun Microsystems Solaris 9 (Sparc)
Overview
The Solaris X Window Font Service (XFS) daemon (fs.auto) contains a
remotely exploitable buffer overflow vulnerability that could allow an
attacker to execute arbitrary code or cause a denial of service.
I. Description
A remotely exploitable buffer overflow vulnerability exists in the
Solaris X Window Font Service (XFS) daemon (fs.auto). Exploitation of
this vulnerability can lead to arbitrary code execution on a vulnerable
Solaris system. This vulnerability was discovered by ISS X-Force.
The Solaris X Window Font Service (XFS) serves font files to clients. Sun
describes the XFS service as follows:
The X Font Server is a simple TCP/IP-based service that serves font files
to its clients. Clients connect to the server to request a font set, and
the server reads the font files off the disk and serves them to the clients.
The X Font Server daemon consists of a server binary /usr/openwin/bin/xfs.
The XFS daemon is installed and running by default on all versions of the
Solaris operating system. Further information about this vulnerability may
be found in VU#312313.
http://www.kb.cert.org/vuls/id/312313
This vulnerability is also being referred to as CAN-2002-1317 by CVE.
Note this vulnerability is in the X Window Font Server, and not the
filesystem of a similar name.
II. Impact
A remote attacker can execute arbitrary code with the privileges of the
fs.auto daemon (typically nobody) or cause a denial of service by crashing
the service.
III. Solution
Apply a patch from your vendor
Appendix A contains information provided by vendors for this advisory.
As vendors report new information to the CERT/CC, we will update this
section and note the changes in our revision history. If a particular
vendor is not listed below, we have not received their comments. Please
contact your vendor directly.
Disable vulnerable service
Until patches can be applied, you may wish to disable the XFS daemon
(fs.auto). As a best practice, the CERT/CC recommends disabling all
services that are not explicitly required. On a typical Solaris system,
it should be possible to disable the fs.auto daemon by commenting out the
relevant entries in /etc/inetd.conf and then restarting the inetd process.
Workarounds
Block access to port 7100/TCP at your network perimeter. Note that this
will not protect vulnerable hosts within your network perimeter.
Appendix A. - Vendor Information
Hewlett-Packard Company
HEWLETT-PACKARD COMPANY
SECURITY BULLETIN: HPSBUX0212-228
Originally issued: 4 Dec 2002
reference id: CERT CA-2002-34, SSRT2429
HP Published Security Bulletin HPSBUX0212-228 with solutions for HP 9000
Series 700 and 800 running HP-UX 10.10, 10.20, 10.24, 11.00, 11.04, 11.11,
and 11.22
This bulletin is available from the HP IT Resource Center page at:
http://itrc.hp.com "Maintenance and Support" then "Support Information
Digests" and then "hp security bulletins archive" search for bulletin
HPSBUX0212-228.
NOT IMPACTED:
HP Tru64 UNIX, HP NonStop Servers, HP openMVS
IBM
The AIX operating system is vulnerable to the xfs issues discussed in
CA-2002-34 in releases 4.3.3, 5.1.0 and 5.2.0.
IBM provides the following official fixes:
APAR number for AIX 4.3.3: IY37888 (available approx. 01/29/03)
APAR number for AIX 5.1.0: IY37886 (available approx. 04/28/03)
APAR number for AIX 5.2.0: IY37889 (available approx. 04/28/03)
A temporary patch is available through an efix package which can be found at
ftp://ftp.software.ibm.com/aix/efixes/security/xfs_efix.tar.Z.
Microsoft Corporation
The component in question is not used in any Microsoft product.
NetBSD
NetBSD ships the xfs from XFree86, though its not on or used by default.
OpenBSD
The xfs daemon in OpenBSD versions up to and including 2.6 is vulnerable.
OpenBSD 2.7 and later is not.
Red Hat Inc.
Red Hat Linux is not affected by this vulnerability.
SGI
We're not vulnerable to this.
Sun Microsystems
The Solaris X font server (xfs(1)) is affected by VU#312313 in the
following supported versions of Solaris:
Solaris 2.6
Solaris 7
Solaris 8
Solaris 9
Patches are being generated for all of the above releases. Sun will be
publishing a Sun Alert for this issue at the following location shortly:
http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/48879
The patches will be available from:
http://sunsolve.sun.com/securitypatch
SuSE
We are not affected.
Appendix B. - References
1.ISS X-Force Security Advisory: Solaris fs.auto Remote Compromise
Vulnerability -
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21541
2.Sun Cluster 3.0 U1 Data Services Developer's Guide, Chapter 6:
Sample DSDL Resource Type Implementation -
http://docs.sun.com/db/doc/806-7072/6jfvjtg1l?q=xfs&a=view
3.CERT/CC Vulnerability Note: VU#312313 -
http://www.kb.cert.org/vuls/id/312313
4.CVE reference number CAN-2002-1317. Information available at
http://cve.mitre.org
Internet Security Systems publicly reported this vulnerability.
Authors: Ian A. Finlay and Shawn V. Hernan.
This document is available from:
http://www.cert.org/advisories/CA-2002-34.html
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other hours,
on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
CERT publications and other security information are available from our
web site
http://www.cert.org/
To subscribe to the CERT mailing list for advisories and bulletins, send
email to majordomo@cert.org. Please include in the body of your message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent
and Trademark Office.
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie Mellon
University makes no warranties of any kind, either expressed or implied as
to any matter including, but not limited to, warranty of fitness for a
particular purpose or merchantability, exclusivity or results obtained
from use of the material. Carnegie Mellon University does not make any
warranty of any kind with respect to freedom from patent, trademark, or
copyright infringement.
Conditions for use, disclaimers, and sponsorship information
Copyright 2002 Carnegie Mellon University.
Revision History
November 25, 2002: Initial release
November 25, 2002: Added vendor statement for Hewlett-Packard Company
November 25, 2002: Added vendor statement for Microsoft Corporation
December 02, 2002: Added vendor statement for SuSE
December 04, 2002: Added vendor statement for Red Hat Inc.
December 05, 2002: Revised vendor statement for OpenBSD
December 06, 2002: Revised vendor statement Hewlett-Packard Company
December 11, 2002: Added vendor statement for IBM
(Note IBM provided their statement on December 5, 2002)
[***** End CERT Advisory CA-2002-34 *****]
_______________________________________________________________________________
CIAC wishes to acknowledge the contributions of CERT Coordination Center for the
information contained in this bulletin.
_______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7x24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
N-014: Trojan Horse tcpdump and libpcap Distributions
N-015: SGI IRIX lpd Daemon Vulnerabilities via sendmail and dns
N-016: Buffer Overrun in Microsoft Data Access Components (MDAC)
N-017: Cisco PIX Multiple Vulnerabilities
N-018: Microsoft Cumulative Patch for Internet Explorer
N-019: Samba Encrypted Password Buffer Overrun Vulnerability
N-020: Red Hat Multiple Vulnerabilities in KDE
N-021: Cumulative Patch for Internet Explorer
N-022: Red Hat Updated wget packages fix directory traversal bug
N-023: Vulnerability in CIFS/9000 Samba Server2 2
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
