|
|
ESB-2007.0778 -- [Solaris] -- Multiple Security Issues Within The X Font Server (xfs(1)) QueryXBitmaps and QueryXExtents Protocol Handlers |
|
Date: 17 January 2008 Original URL: http://www.auscert.org.au/render.html?cid=1980&it=8192 References: ESB-2007.0743 ESB-2008.0058 ESB-2008.0063 Click here for PGP verifiable version -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2007.0778 -- [Solaris]
Multiple Security Issues Within The X Font Server (xfs(1))
QueryXBitmaps and QueryXExtents Protocol Handlers
18 January 2008
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: X Font Server (xfs)
Publisher: Sun Microsystems
Operating System: Solaris 10 Operating System
Solaris 9 Operating System
Solaris 8 Operating System
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
CVE Names: CVE-2007-4990 CVE-2007-4568
Ref: ESB-2007.0743
Original Bulletin:
http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-103114-1
Revision History: January 18 2008: Updated the Contributing Factors
section adding x86 Solaris 8 back as
a vulnerable release.
Updated the Resolution section adding
the patch available for Solaris 8.
November 16 2007: Updated the state to Workaround.
Updated the contributing factors
removing x86 Solaris 8 from the
vulnerable list.
Updated the Relief/Workaround to add
available T-patch for x86 Solaris 8.
Updated the Resolution to remove x86
Solaris 8 from the addressed releases
list.
November 8 2007: Final Patches Available
October 15 2007: Interim Security Relief available
October 12 2007: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Sun(sm) Alert Notification
* Sun Alert ID: 103114
* Synopsis: Multiple Security Issues Within The X Font Server
(xfs(1)) QueryXBitmaps and QueryXExtents Protocol Handlers
* Category: Security
* Product: Solaris 9 Operating System, Solaris 10 Operating System,
Solaris 8 Operating System
* BugIDs: 6601751, 6601756
* Avoidance: Patch, Workaround
* State: Resolved
* Date Released: 10-Oct-2007, 06-Nov-2007
* Date Closed: 17-Jan-2008
* Date Modified: 11-Oct-2007, 06-Nov-2007, 13-Nov-2007, 17-Jan-2008
1. Impact
There exists multiple security vulnerabilities within the handlers for
the QueryXBitmaps and QueryXExtents protocol requests for the X Font
Server, xfs(1), included with Solaris. These vulnerabilities may allow
a local or remote unprivileged user the ability to execute arbitrary
code with the privileges of the X font server. The X font server runs
as the unprivileged user "nobody" (uid 60001) on Solaris. These
vulnerabilities may allow also allow users to consume all available
memory on a system resulting in a Denial of Service (DoS).
These issues are also referenced in the following documents:
* CVE-2007-4568 at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4568
* CVE-2007-4990 at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4990
* http://bugs.freedesktop.org/show_bug.cgi?id=12298
* http://bugs.freedesktop.org/show_bug.cgi?id=12299
* http://labs.idefense.com/intelligence/vulnerabilities/display.p
hp?id=602
2. Contributing Factors
These issues can occur in the following releases:
SPARC Platform
* Solaris 8 without patch 109862-05
* Solaris 9 without patch 113923-04
* Solaris 10 without patch 119059-32
x86 Platform
* Solaris 8 without patch 109863-05
* Solaris 9 without patch 113924-04
* Solaris 10 without patch 119060-31
The system is only impacted if the X Font Server is enabled or is
running. The X Font Server can be started manually, but is normally
started by the service management facility (smf(5)) or the Internet
services daemon (inetd(1M)).
To determine the state of the X font server on Solaris 8 and Solaris 9
systems the "/etc/inet/inetd.conf" (see inetd.conf(4)) file will
contain entry similar to the following:
fs stream tcp wait nobody /usr/openwin/lib/fs.auto fs
To determine the state of the X Font Server for Solaris 10, the
following command can be used:
$ svcs svc:/application/x11/xfs
To determine if the X font server is running on a Solaris 8, 9, or 10
system the following command can be used:
$ pgrep -x xfs || echo "xfs(1) isn't running on this system"
3. Symptoms
If the described issue occurs, the X Font Server (xfs(1)) may exit
unexpectedly, potentially leaving a core file within the root file
system.
There are no predictable symptoms that would indicate that this issue
has been exploited to execute arbitrary code on a system.
4. Relief/Workaround
To work around the described issue, disable the X Font Service by
doing the following:
For Solaris 10:
# svcadm disable svc:/application/x11/xfs:default
# pkill -x xfs
For Solaris 8 and Solaris 9:
The X font server can be disabled by commenting out (with "#") the
following line in the "inetd.conf" file:
# fs stream tcp wait nobody /usr/openwin/lib/fs.auto fs
Have the inetd(1M) process reread the newly modified "/etc/inetd.conf"
file by sending it a "hangup" signal, SIGHUP, as the root user:
# pkill -HUP -x inetd
# pkill -x xfs
This workaround will cause font server operations for the X terminals
and remote X sessions to fail.
5. Resolution
This issue is addressed in the following releases:
SPARC Platform
* Solaris 8 with patch 109862-05 or later
* Solaris 9 with patch 113923-04 or later
* Solaris 10 with patch 119059-32 or later
x86 Platform
* Solaris 8 with patch 109863-05 or later
* Solaris 9 with patch 113924-04 or later
* Solaris 10 with patch 119060-31 or later
Note: The patches should have the "rebootafter" patch property,
however, the Solaris 9 and Solaris 10 patches are missing that
property and new revisions are being built.
Special patch install instructions:
For the changes in the Solaris 9 and Solaris 10 patches to become
effective, a reboot must be performed, or alternatively, the X Window
System font server process "xfs" must be killed if it is running.
The "X font server", is normally started automatically from "inetd" on
Solaris when a request for a font service is received. Xsun clients
using the font server will detect the font server shutdown and
reconnect automatically to a new instance of the font server.
Unfortunately, other font clients, such as some versions of "Xvnc",
will not reconnect automatically and will need to be stopped before
killing the font server and restarted again after the font server is
restarted. (If "xfs" is still being run from "inetd", "inetd" will
automatically restart on the first connection attempt.)
To kill the font server, as root, run the following command:
# pkill -x xfs
Change History
11-Oct-2007:
* Updated Relief/Workaround section
06-Nov-2007:
* State: Resolved
* Updated Contributing Factors and Resolution sections
13-Nov-2007:
* Updated State to Workaround
* Updated the Contributing Factors, Relief/Workaround, and
Resolution sections
17-Jan-2008:
* State: Resolved
* Updated Contributing Factors and Resolution sections
This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
This Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBR4/4kyh9+71yA2DNAQIF4AP9HRAP+H9Un5bJPCp5hBM8LK2arTOT1mrZ
Q2sz6rDeSJWWXs6bG5jtVcHTaW+byNQzYSdYzHUkOrdUyDyYfx5dVLvb/4j89CPV
ktpGSy1Js+B3He2UJirEZwdPbfpMwKPrKdhojkx4Ux/sJ/eKkUiKm9aiCZgsdLTi
IJjIRrJPDwM=
=j1jD
-----END PGP SIGNATURE-----
|