TUCoPS :: SunOS/Solaris :: n-024.txt

Buffer Overflow Vulnerability in Solaris X Window Font Service (CIAC N-024)


             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

         Buffer Overflow Vulnerability in Solaris X Window Font Service
                           [CERT Advisory CA-2002-34]

December 12, 2002 20:00 GMT                                       Number N-024
______________________________________________________________________________
PROBLEM:       The Solaris X Window Font Service (XFS) daemon (fs.auto)
               contains a remotely exploitable buffer overflow vulnerability
               that could allow an attacker to execute arbitrary code or cause
               a denial of service.
PLATFORM:      Multiple vendor products might be affected when used in
               conjunction with the Solaris X Window Font Service (XFS) daemon
               (fs.auto).
DAMAGE:        A remote attacker can execute arbitrary code with the
               privileges of the fs.auto daemon (typically run as "nobody") or
               cause a denial of service by crashing the service.
SOLUTION:      Check with your vendor for platform-specific patches or other
               solutions. Until patches become available and can be applied,
               you may wish to disable the XFS daemon (fs.auto).
______________________________________________________________________________
VULNERABILITY  The risk is HIGH. The XFS daemon is installed and running by
ASSESSMENT:    default on all versions of the Solaris operating system. A
               remote attacker could potentially gain control of a target
               machine and execute arbitraty code.
______________________________________________________________________________
LINKS:
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/n-024.shtml
 ORIGINAL BULLETIN:  http://www.cert.org/advisories/CA-2002-34.html
                     Monitor the CERT Advisory for vendor updates.
______________________________________________________________________________
[***** Start CERT Advisory CA-2002-34 *****]

CERTŪ Advisory CA-2002-34 Buffer
Overflow in Solaris X Window Font Service

Original release date: November 25, 2002
Last revised: Wed Dec 11 14:30:06 EST 2002
Source: CERT/CC

A complete revision history can be found at the end of this file.

Systems Affected

Sun Microsystems Solaris 2.5.1 (Sparc/Intel) 
Sun Microsystems Solaris 2.6 (Sparc/Intel) 
Sun Microsystems Solaris 7 (Sparc/Intel) 
Sun Microsystems Solaris 8 (Sparc/Intel) 
Sun Microsystems Solaris 9 (Sparc) 

Overview

The Solaris X Window Font Service (XFS) daemon (fs.auto) contains a 
remotely exploitable buffer overflow vulnerability that could allow an 
attacker to execute arbitrary code or cause a denial of service. 

I. Description

A remotely exploitable buffer overflow vulnerability exists in the 
Solaris X Window Font Service (XFS) daemon (fs.auto). Exploitation of 
this vulnerability can lead to arbitrary code execution on a vulnerable 
Solaris system. This vulnerability was discovered by ISS X-Force. 

The Solaris X Window Font Service (XFS) serves font files to clients. Sun 
describes the XFS service as follows: 

The X Font Server is a simple TCP/IP-based service that serves font files 
to its clients. Clients connect to the server to request a font set, and 
the server reads the font files off the disk and serves them to the clients. 
The X Font Server daemon consists of a server binary /usr/openwin/bin/xfs.

The XFS daemon is installed and running by default on all versions of the 
Solaris operating system. Further information about this vulnerability may 
be found in VU#312313. 

http://www.kb.cert.org/vuls/id/312313 

This vulnerability is also being referred to as CAN-2002-1317 by CVE. 

Note this vulnerability is in the X Window Font Server, and not the 
filesystem of a similar name. 

II. Impact

A remote attacker can execute arbitrary code with the privileges of the 
fs.auto daemon (typically nobody) or cause a denial of service by crashing 
the service. 

III. Solution

Apply a patch from your vendor

Appendix A contains information provided by vendors for this advisory. 
As vendors report new information to the CERT/CC, we will update this 
section and note the changes in our revision history. If a particular 
vendor is not listed below, we have not received their comments. Please 
contact your vendor directly. 

Disable vulnerable service

Until patches can be applied, you may wish to disable the XFS daemon 
(fs.auto). As a best practice, the CERT/CC recommends disabling all 
services that are not explicitly required. On a typical Solaris system, 
it should be possible to disable the fs.auto daemon by commenting out the 
relevant entries in /etc/inetd.conf and then restarting the inetd process. 

Workarounds

Block access to port 7100/TCP at your network perimeter. Note that this 
will not protect vulnerable hosts within your network perimeter. 

Appendix A. - Vendor Information

Hewlett-Packard Company

HEWLETT-PACKARD COMPANY
SECURITY BULLETIN: HPSBUX0212-228
Originally issued: 4 Dec 2002

reference id:  CERT CA-2002-34, SSRT2429
                  
HP Published Security Bulletin HPSBUX0212-228 with solutions for HP 9000 
Series 700 and 800 running HP-UX 10.10, 10.20, 10.24, 11.00, 11.04, 11.11, 
and 11.22
                   
This bulletin is available from the HP IT Resource Center page at: 
http://itrc.hp.com  "Maintenance and Support" then "Support Information 
Digests" and then "hp security bulletins archive" search for bulletin 
HPSBUX0212-228.

NOT IMPACTED:

HP Tru64 UNIX, HP NonStop Servers, HP openMVS 

IBM

The AIX operating system is vulnerable to the xfs issues discussed in 
CA-2002-34 in releases 4.3.3, 5.1.0 and 5.2.0.

IBM provides the following official fixes:

APAR number for AIX 4.3.3: IY37888 (available approx. 01/29/03)
APAR number for AIX 5.1.0: IY37886 (available approx. 04/28/03)
APAR number for AIX 5.2.0: IY37889 (available approx. 04/28/03)

A temporary patch is available through an efix package which can be found at
ftp://ftp.software.ibm.com/aix/efixes/security/xfs_efix.tar.Z. 

Microsoft Corporation

The component in question is not used in any Microsoft product. 

NetBSD

NetBSD ships the xfs from XFree86, though its not on or used by default. 

OpenBSD

The xfs daemon in OpenBSD versions up to and including 2.6 is vulnerable. 
OpenBSD 2.7 and later is not. 

Red Hat Inc.

Red Hat Linux is not affected by this vulnerability. 

SGI

We're not vulnerable to this. 

Sun Microsystems

The Solaris X font server (xfs(1)) is affected by VU#312313 in the 
following supported versions of Solaris:

Solaris 2.6
Solaris 7
Solaris 8
Solaris 9

Patches are being generated for all of the above releases.  Sun will be 
publishing a Sun Alert for this issue at the following location shortly:

http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/48879

The patches will be available from:

http://sunsolve.sun.com/securitypatch 

SuSE

We are not affected. 

Appendix B. - References

1.ISS X-Force Security Advisory: Solaris fs.auto Remote Compromise 
Vulnerability -
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21541 
2.Sun Cluster 3.0 U1 Data Services Developer's Guide, Chapter 6: 
Sample DSDL Resource Type Implementation - 
http://docs.sun.com/db/doc/806-7072/6jfvjtg1l?q=xfs&a=view 
3.CERT/CC Vulnerability Note: VU#312313 - 
http://www.kb.cert.org/vuls/id/312313 
4.CVE reference number CAN-2002-1317. Information available at 
http://cve.mitre.org 



Internet Security Systems publicly reported this vulnerability. 


Authors: Ian A. Finlay and Shawn V. Hernan. 


This document is available from: 
http://www.cert.org/advisories/CA-2002-34.html 


CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
  CERT Coordination Center
  Software Engineering Institute
  Carnegie Mellon University
  Pittsburgh PA 15213-3890
  U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) 
Monday through Friday; they are on call for emergencies during other hours, 
on U.S. holidays, and on weekends. 

Using encryption

We strongly urge you to encrypt sensitive information sent by email. 
Our public PGP key is available from 

  http://www.cert.org/CERT_PGP.key 

If you prefer to use DES, please call the CERT hotline for more information. 

Getting security information

CERT publications and other security information are available from our 
web site 
  http://www.cert.org/ 

To subscribe to the CERT mailing list for advisories and bulletins, send 
email to majordomo@cert.org. Please include in the body of your message

  subscribe cert-advisory 

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent 
and Trademark Office. 



NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software 
Engineering Institute is furnished on an "as is" basis. Carnegie Mellon 
University makes no warranties of any kind, either expressed or implied as 
to any matter including, but not limited to, warranty of fitness for a 
particular purpose or merchantability, exclusivity or results obtained 
from use of the material. Carnegie Mellon University does not make any 
warranty of any kind with respect to freedom from patent, trademark, or 
copyright infringement. 


Conditions for use, disclaimers, and sponsorship information 

Copyright 2002 Carnegie Mellon University.

Revision History 

November 25, 2002: Initial release
November 25, 2002: Added vendor statement for Hewlett-Packard Company
November 25, 2002: Added vendor statement for Microsoft Corporation
December 02, 2002: Added vendor statement for SuSE
December 04, 2002: Added vendor statement for Red Hat Inc.
December 05, 2002: Revised vendor statement for OpenBSD
December 06, 2002: Revised vendor statement Hewlett-Packard Company
December 11, 2002: Added vendor statement for IBM 
   (Note IBM provided their statement on December 5, 2002)

[***** End CERT Advisory CA-2002-34 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of CERT Coordination Center for the
information contained in this bulletin.
_______________________________________________________________________________

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

N-014: Trojan Horse tcpdump and libpcap Distributions
N-015: SGI IRIX lpd Daemon Vulnerabilities via sendmail and dns
N-016: Buffer Overrun in Microsoft Data Access Components (MDAC)
N-017: Cisco PIX Multiple Vulnerabilities
N-018: Microsoft Cumulative Patch for Internet Explorer
N-019: Samba Encrypted Password Buffer Overrun Vulnerability
N-020: Red Hat Multiple Vulnerabilities in KDE
N-021: Cumulative Patch for Internet Explorer
N-022: Red Hat Updated wget packages fix directory traversal bug
N-023: Vulnerability in CIFS/9000 Samba Server2 2

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH