| VID |
23029 |
| Severity |
40 |
| Port |
7100 |
| Protocol |
TCP |
| Class |
X11 |
| Detailed Description |
A version of XFS daemon is detected as running on the host. Multiple Vendor X Font Server is vulnerable to a remote buffer overflow attack. A remotely exploitable buffer overrun condition has been reported in the fs.auto, which is the implementation of the X Window Font Service (XFS) used by multiple vendors. By sending a malformed XFS query to a vulnerable system, a remote attacker could overflow a buffer in the fs.auto Dispatch() routine to cause the service to crash or execute arbitrary code on the server with privileges of the "nobody" user.
* Note: This check doesn't perform an actually test to assess this vulnerability but solely relied on the presence of xfs daemon for the remote server, so this might be a false positive.
* References:
http://www.cert.org/advisories/CA-2002-34.html
http://www.kb.cert.org/vuls/id/312313
http://www.ciac.org/ciac/bulletins/n-024.shtml
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21541
* Platforms Affected:
XFree86 X11R6 3.3
XFree86 X11R6 3.3.2
XFree86 X11R6 3.3.3
XFree86 X11R6 3.3.4
XFree86 X11R6 3.3.5
HP HP-UX 10.xx ~ 11.xx
Sun Solaris 2.5.1, 2.6, 7, 8, 9
IBM AIX 4.3, 5.1, 5.2 |
| Recommendation |
For Sun Solaris systems:
Apply the appropriate patch for your system, as listed in Sun Alert ID: 48879 at http://sunsolve.sun.com/search/document.do?assetkey=1-26-56740-1
For SGI IRIX 6.5.x:
Apply the appropriate patch for your system, as listed in SGI Security Advisory 20021202-01-I at ftp://patches.sgi.com/support/free/security/advisories/20021202-01-I
For IBM AIX 4.3, 5.1, and 5.2:
Apply the appropriate patch for your system. IBM provides the following official fixes:
APAR number for AIX 4.3.3: IY37888 (available approx. 01/29/03)
APAR number for AIX 5.1.0: IY37886 (available approx. 04/28/03)
APAR number for AIX 5.2.0: IY37889 (available approx. 04/28/03)
A temporary patch is available through an efix package which can be found at ftp://ftp.software.ibm.com/aix/efixes/security/xfs_efix.tar.Z
For HP HP-UX:
Apply the appropriate patch for your system, as listed in HP Security Bulletin: HPSBUX0212-228 at http://www.securityfocus.com/advisories/4988
-- OR --
Disable the fs.auto service if it is not required. Administrators can disable fs.auto by editing the inetd configuration file (/etc/inetd.conf) and then restart the inetd process by following the steps below:
To disable fs.auto on a Solaris system:
1. Edit the "/etc/inetd.conf" file and comment out the following line by adding the "#" symbol to the beginning of the line as follows:
#fs stream tcp wait nobody /usr/openwin/lib/fs.auto fs
2. Tell the inetd process to reread the newly modified "/etc/inetd.conf" file by sending it a hangup signal, SIGHUP:
# kill -HUP <inetd process id>
*Solaris 10 or later: Stop fs.auto service
# svcadm disable svc:/application/x11/xfs:default
# pkill -x xfs |
| Related URL |
CVE-2002-1317 (CVE) |
| Related URL |
6241 (SecurityFocus) |
| Related URL |
10375 (ISS) |
|
