CERT® Advisory CA-2002-34 Buffer Overflow in Solaris X
Window Font Service
Original release date: November 25, 2002
Last
revised: Tue Dec 17 08:17:32 EST 2002
Source: CERT/CC
A complete revision history can be found at the end of this file.
Systems Affected
- Sun Microsystems Solaris 2.5.1 (Sparc/Intel)
- Sun Microsystems Solaris 2.6 (Sparc/Intel)
- Sun Microsystems Solaris 7 (Sparc/Intel)
- Sun Microsystems Solaris 8 (Sparc/Intel)
- Sun Microsystems Solaris 9 (Sparc)
Overview
The Solaris X Window Font Service (XFS) daemon (fs.auto)
contains a remotely exploitable buffer overflow vulnerability that could
allow an attacker to execute arbitrary code or cause a denial of service.
I. Description
A remotely exploitable buffer overflow vulnerability exists in the
Solaris X Window Font Service (XFS) daemon (fs.auto). Exploitation of this
vulnerability can lead to arbitrary code execution on a vulnerable Solaris
system. This vulnerability was discovered
by ISS X-Force.
The Solaris X Window Font Service (XFS) serves font files to clients.
Sun describes
the XFS service as follows:
The X Font Server is a simple TCP/IP-based service that
serves font files to its clients. Clients connect to the server to
request a font set, and the server reads the font files off the disk and
serves them to the clients. The X Font Server daemon consists of a
server binary /usr/openwin/bin/xfs.
The XFS daemon is
installed and running by default on all versions of the Solaris operating
system. Further information about this vulnerability may be found in
VU#312313.
http://www.kb.cert.org/vuls/id/312313
This vulnerability is also being referred to as CAN-2002-1317 by CVE.
Note this vulnerability is in the X Window Font Server, and not
the filesystem of a similar name.
II. Impact
A remote attacker can execute arbitrary code with the privileges of the
fs.auto daemon (typically nobody) or cause a denial of service by crashing
the service.
III. Solution
Apply a patch from your vendor
Appendix
A contains information provided by vendors for this advisory. As
vendors report new information to the CERT/CC, we will update this section
and note the changes in our revision history. If a particular vendor is
not listed below, we have not received their comments. Please contact your
vendor directly.
Disable vulnerable service
Until patches can be applied, you may wish to disable the XFS daemon
(fs.auto). As a best practice, the CERT/CC recommends disabling all
services that are not explicitly required. On a typical Solaris system, it
should be possible to disable the fs.auto daemon by commenting out the
relevant entries in /etc/inetd.conf and then
restarting the inetd process.
Workarounds
Block access to port 7100/TCP at your network
perimeter. Note that this will not protect vulnerable hosts within your
network perimeter.
Appendix A. - Vendor Information
Hewlett-Packard Company
HEWLETT-PACKARD COMPANY
SECURITY
BULLETIN: HPSBUX0212-228
Originally issued: 4 Dec 2002
reference
id: CERT CA-2002-34, SSRT2429
HP Published Security
Bulletin HPSBUX0212-228 with solutions for HP 9000 Series 700 and 800
running HP-UX 10.10, 10.20, 10.24, 11.00, 11.04, 11.11, and
11.22
This bulletin is available from the HP IT Resource
Center page at: http://itrc.hp.com/ "Maintenance and
Support" then "Support Information Digests" and then "hp security
bulletins archive" search for bulletin HPSBUX0212-228.
NOT
IMPACTED:
HP Tru64 UNIX, HP NonStop Servers, HP openMVS
IBM
The AIX operating system is vulnerable to the xfs issues
discussed in CA-2002-34 in releases 4.3.3, 5.1.0 and 5.2.0.
IBM
provides the following official fixes:
APAR number for AIX 4.3.3: IY37888 (available approx.
01/29/03)
APAR number for AIX 5.1.0: IY37886
(available approx. 04/28/03)
APAR number for
AIX 5.2.0: IY37889 (available approx. 04/28/03)
A temporary patch
is available through an efix package which can be found at ftp://ftp.software.ibm.com/aix/efixes/security/xfs_efix.tar.Z.
Microsoft Corporation
The component in question is not used in any
Microsoft product.
NetBSD
NetBSD ships the xfs from XFree86, though its not on or
used by default.
Nortel Networks
Nortel Networks products and solutions using the
affected Sun Solaris operating systems may utilize the XFS daemon; it is
installed and running by default on all versions of the Solaris operating
system. Nortel Networks recommends either disabling this feature or, if
XFS must be run, following CERT/CC's recommendations to block access to
Port 7100/TCP at the network perimeter. Nortel Networks also recommends
following the mitigating practices in Sun Microsystems Inc.'s Alert
Notification.
For more information please contact Nortel
at:
North America: 1-8004NORTEL or 1-800-466-7835
Europe, Middle
East and Africa:00800 8008 9009, or +44 (0) 870 9079009
Contacts
for other regions are available at
http://www.cert.org/advisories/www.nortelnetworks.com/help/contact/global/
OpenBSD
The xfs daemon in OpenBSD versions up to and including 2.6
is vulnerable. OpenBSD 2.7 and later is not.
Red Hat Inc.
Red Hat Linux is not affected by this vulnerability.
SGI
We're not vulnerable to this.
Sun Microsystems
The Solaris X font server (xfs(1)) is affected by
VU#312313 in the following supported versions of Solaris:
Solaris
2.6
Solaris 7
Solaris 8
Solaris 9
Patches are being
generated for all of the above releases. Sun will be publishing a
Sun Alert for this issue at the following location shortly:
http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/48879
The
patches will be available from:
http://sunsolve.sun.com/securitypatch
SuSE
We are not affected.
Appendix B. - References
-
ISS X-Force Security Advisory: Solaris fs.auto Remote Compromise
Vulnerability - http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21541
-
Sun Cluster 3.0 U1 Data Services Developer's Guide, Chapter 6: Sample
DSDL Resource Type Implementation - http://docs.sun.com/db/doc/806-7072/6jfvjtg1l?q=xfs&a=view
-
CERT/CC Vulnerability Note: VU#312313 - http://www.kb.cert.org/vuls/id/312313
-
CVE reference number CAN-2002-1317. Information available at http://cve.mitre.org/
Internet Security Systems publicly reported
this vulnerability.
Authors: Ian A.
Finlay and Shawn V. Hernan.
This document is available from: http://www.cert.org/advisories/CA-2002-34.html
CERT Copyright Material