copyright
|
disclaimer
|
privacy
|
contact
HOME
About
AusCERT
Membership
Contact Us
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
Login »
Become a member »
Home
»
Security Bul...
»
Security Bul...
»
AusCERT Exte...
» ESB-2007.0778 -- [Solaris] -- Multiple Security Issu...
ESB-2007.0778 -- [Solaris] -- Multiple Security Issues Within The X Font Server (xfs(1)) QueryXBitmaps and QueryXExtents Protocol Handlers
Date:
17 January 2008
References
:
ESB-2007.0743
ESB-2008.0058
ESB-2008.0063
Click here for printable version
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2007.0778 -- [Solaris] Multiple Security Issues Within The X Font Server (xfs(1)) QueryXBitmaps and QueryXExtents Protocol Handlers 18 January 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: X Font Server (xfs) Publisher: Sun Microsystems Operating System: Solaris 10 Operating System Solaris 9 Operating System Solaris 8 Operating System Impact: Execute Arbitrary Code/Commands Access: Remote/Unauthenticated CVE Names: CVE-2007-4990 CVE-2007-4568 Ref: ESB-2007.0743 Original Bulletin: http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-103114-1 Revision History: January 18 2008: Updated the Contributing Factors section adding x86 Solaris 8 back as a vulnerable release. Updated the Resolution section adding the patch available for Solaris 8. November 16 2007: Updated the state to Workaround. Updated the contributing factors removing x86 Solaris 8 from the vulnerable list. Updated the Relief/Workaround to add available T-patch for x86 Solaris 8. Updated the Resolution to remove x86 Solaris 8 from the addressed releases list. November 8 2007: Final Patches Available October 15 2007: Interim Security Relief available October 12 2007: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Sun(sm) Alert Notification * Sun Alert ID: 103114 * Synopsis: Multiple Security Issues Within The X Font Server (xfs(1)) QueryXBitmaps and QueryXExtents Protocol Handlers * Category: Security * Product: Solaris 9 Operating System, Solaris 10 Operating System, Solaris 8 Operating System * BugIDs: 6601751, 6601756 * Avoidance: Patch, Workaround * State: Resolved * Date Released: 10-Oct-2007, 06-Nov-2007 * Date Closed: 17-Jan-2008 * Date Modified: 11-Oct-2007, 06-Nov-2007, 13-Nov-2007, 17-Jan-2008 1. Impact There exists multiple security vulnerabilities within the handlers for the QueryXBitmaps and QueryXExtents protocol requests for the X Font Server, xfs(1), included with Solaris. These vulnerabilities may allow a local or remote unprivileged user the ability to execute arbitrary code with the privileges of the X font server. The X font server runs as the unprivileged user "nobody" (uid 60001) on Solaris. These vulnerabilities may allow also allow users to consume all available memory on a system resulting in a Denial of Service (DoS). These issues are also referenced in the following documents: * CVE-2007-4568 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4568 * CVE-2007-4990 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4990 * http://bugs.freedesktop.org/show_bug.cgi?id=12298 * http://bugs.freedesktop.org/show_bug.cgi?id=12299 * http://labs.idefense.com/intelligence/vulnerabilities/display.p hp?id=602 2. Contributing Factors These issues can occur in the following releases: SPARC Platform * Solaris 8 without patch 109862-05 * Solaris 9 without patch 113923-04 * Solaris 10 without patch 119059-32 x86 Platform * Solaris 8 without patch 109863-05 * Solaris 9 without patch 113924-04 * Solaris 10 without patch 119060-31 The system is only impacted if the X Font Server is enabled or is running. The X Font Server can be started manually, but is normally started by the service management facility (smf(5)) or the Internet services daemon (inetd(1M)). To determine the state of the X font server on Solaris 8 and Solaris 9 systems the "/etc/inet/inetd.conf" (see inetd.conf(4)) file will contain entry similar to the following: fs stream tcp wait nobody /usr/openwin/lib/fs.auto fs To determine the state of the X Font Server for Solaris 10, the following command can be used: $ svcs svc:/application/x11/xfs To determine if the X font server is running on a Solaris 8, 9, or 10 system the following command can be used: $ pgrep -x xfs || echo "xfs(1) isn't running on this system" 3. Symptoms If the described issue occurs, the X Font Server (xfs(1)) may exit unexpectedly, potentially leaving a core file within the root file system. There are no predictable symptoms that would indicate that this issue has been exploited to execute arbitrary code on a system. 4. Relief/Workaround To work around the described issue, disable the X Font Service by doing the following: For Solaris 10: # svcadm disable svc:/application/x11/xfs:default # pkill -x xfs For Solaris 8 and Solaris 9: The X font server can be disabled by commenting out (with "#") the following line in the "inetd.conf" file: # fs stream tcp wait nobody /usr/openwin/lib/fs.auto fs Have the inetd(1M) process reread the newly modified "/etc/inetd.conf" file by sending it a "hangup" signal, SIGHUP, as the root user: # pkill -HUP -x inetd # pkill -x xfs This workaround will cause font server operations for the X terminals and remote X sessions to fail. 5. Resolution This issue is addressed in the following releases: SPARC Platform * Solaris 8 with patch 109862-05 or later * Solaris 9 with patch 113923-04 or later * Solaris 10 with patch 119059-32 or later x86 Platform * Solaris 8 with patch 109863-05 or later * Solaris 9 with patch 113924-04 or later * Solaris 10 with patch 119060-31 or later Note: The patches should have the "rebootafter" patch property, however, the Solaris 9 and Solaris 10 patches are missing that property and new revisions are being built. Special patch install instructions: For the changes in the Solaris 9 and Solaris 10 patches to become effective, a reboot must be performed, or alternatively, the X Window System font server process "xfs" must be killed if it is running. The "X font server", is normally started automatically from "inetd" on Solaris when a request for a font service is received. Xsun clients using the font server will detect the font server shutdown and reconnect automatically to a new instance of the font server. Unfortunately, other font clients, such as some versions of "Xvnc", will not reconnect automatically and will need to be stopped before killing the font server and restarted again after the font server is restarted. (If "xfs" is still being run from "inetd", "inetd" will automatically restart on the first connection attempt.) To kill the font server, as root, run the following command: # pkill -x xfs Change History 11-Oct-2007: * Updated Relief/Workaround section 06-Nov-2007: * State: Resolved * Updated Contributing Factors and Resolution sections 13-Nov-2007: * Updated State to Workaround * Updated the Contributing Factors, Relief/Workaround, and Resolution sections 17-Jan-2008: * State: Resolved * Updated Contributing Factors and Resolution sections This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements. Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBR4/4kyh9+71yA2DNAQIF4AP9HRAP+H9Un5bJPCp5hBM8LK2arTOT1mrZ Q2sz6rDeSJWWXs6bG5jtVcHTaW+byNQzYSdYzHUkOrdUyDyYfx5dVLvb/4j89CPV ktpGSy1Js+B3He2UJirEZwdPbfpMwKPrKdhojkx4Ux/sJ/eKkUiKm9aiCZgsdLTi IJjIRrJPDwM= =j1jD -----END PGP SIGNATURE-----
Comments? Click here
http://www.auscert.org.au/render.html?cid=1980&it=8192