Original release date: November 25, 2002<br> Last revised: Tue Dec 17 08:17:32 EST 2002<br> Source: CERT/CC<br> <p>A complete revision history can be found at the end of this file.</p> <a name="affected"></a> <h3>Systems Affected</h3> <ul> <li>Sun Microsystems Solaris 2.5.1 (Sparc/Intel)</li> <li>Sun Microsystems Solaris 2.6 (Sparc/Intel)</li> <li>Sun Microsystems Solaris 7 (Sparc/Intel)</li> <li>Sun Microsystems Solaris 8 (Sparc/Intel)</li> <li>Sun Microsystems Solaris 9 (Sparc)</li> </ul> <a name="overview"></a> <h2>Overview</h2> The Solaris X Window Font Service (XFS) daemon (fs.auto) contains a remotely exploitable buffer overflow vulnerability that could allow an attacker to execute arbitrary code or cause a denial of service. <br> <a name="description"></a> <h2>I. Description</h2> <p> A remotely exploitable buffer overflow vulnerability exists in the Solaris X Window Font Service (XFS) daemon (fs.auto). Exploitation of this vulnerability can lead to arbitrary code execution on a vulnerable Solaris system. This vulnerability was <A HREF="http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21541">discovered</a> by ISS X-Force. <p> The Solaris X Window Font Service (XFS) serves font files to clients. Sun <A HREF="http://docs.sun.com/db/doc/806-7072/6jfvjtg1l?q=xfs&a=view">describes</a> the XFS service as follows: <blockquote><i>The X Font Server is a simple TCP/IP-based service that serves font files to its clients. Clients connect to the server to request a font set, and the server reads the font files off the disk and serves them to the clients. The X Font Server daemon consists of a server binary /usr/openwin/bin/xfs.</i></blockquote> The XFS daemon is installed and running by default on all versions of the Solaris operating system. Further information about this vulnerability may be found in VU#312313. <blockquote> <a href="http://www.kb.cert.org/vuls/id/312313">http://www.kb.cert.org/vuls/id/312313</a> </blockquote> <p>This vulnerability is also being referred to as CAN-2002-1317 by <A HREF=http://cve.mitre.org>CVE</a>. <p>Note this vulnerability is in the X Window Font Server, and <i>not</i> the filesystem of a similar name. <a name="impact"></a> <h2>II. Impact</h2> <p>A remote attacker can execute arbitrary code with the privileges of the fs.auto daemon (typically nobody) or cause a denial of service by crashing the service. <br> <a name="solution"></a> <h2>III. Solution</h2> <h4>Apply a patch from your vendor</h4> <p> <a href="#vendors">Appendix A</a> contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Please contact your vendor directly. </p> <H4>Disable vulnerable service</H4> <p> Until patches can be applied, you may wish to disable the XFS daemon (fs.auto). As a best practice, the CERT/CC recommends disabling all services that are not explicitly required. On a typical Solaris system, it should be possible to disable the fs.auto daemon by commenting out the relevant entries in <font face="courier">/etc/inetd.conf</font> and then restarting the <font face="courier">inetd</font> process. </p> <a name="workarounds"></a> <h4>Workarounds</h4> Block access to port 7100/TCP at your network perimeter. Note that this will not protect vulnerable hosts within your network perimeter. <BR> <a name="vendors"></a> <h2>Appendix A. - Vendor Information</h2> <a name="hp"></a> <h4>Hewlett-Packard Company</h4> HEWLETT-PACKARD COMPANY<br> SECURITY BULLETIN: HPSBUX0212-228<br> Originally issued: 4 Dec 2002<br> <br> reference id: CERT CA-2002-34, SSRT2429<br> <br> HP Published Security Bulletin HPSBUX0212-228 with solutions for HP 9000 Series 700 and 800 running HP-UX 10.10, 10.20, 10.24, 11.00, 11.04, 11.11, and 11.22<br> <br> This bulletin is available from the HP IT Resource Center page at: <a href="http://itrc.hp.com">http://itrc.hp.com</a> "Maintenance and Support" then "Support Information Digests" and then "hp security bulletins archive" search for bulletin HPSBUX0212-228.<br> <br> NOT IMPACTED:<br> <br> HP Tru64 UNIX, HP NonStop Servers, HP openMVS <!-- end vendor --> <a name="ibm"></a> <h4>IBM</h4> The AIX operating system is vulnerable to the xfs issues discussed in CA-2002-34 in releases 4.3.3, 5.1.0 and 5.2.0.<br> <br> IBM provides the following official fixes:<br> <br> APAR number for AIX 4.3.3: IY37888 (available approx. 01/29/03)<br> APAR number for AIX 5.1.0: IY37886 (available approx. 04/28/03)<br> APAR number for AIX 5.2.0: IY37889 (available approx. 04/28/03)<br> <br> A temporary patch is available through an efix package which can be found at <a href="ftp://ftp.software.ibm.com/aix/efixes/security/xfs_efix.tar.Z">ftp://ftp.software.ibm.com/aix/efixes/security/xfs_efix.tar.Z</a>. <a name="microsoft"></a> <h4>Microsoft Corporation</h4> The component in question is not used in any Microsoft product. <a name="NetBSD"></a> <h4>NetBSD</h4> NetBSD ships the xfs from XFree86, though its not on or used by default. <!-- end vendor --> <a name="nortel"></a> <h4>Nortel Networks</h4> Nortel Networks products and solutions using the affected Sun Solaris operating systems may utilize the XFS daemon; it is installed and running by default on all versions of the Solaris operating system. Nortel Networks recommends either disabling this feature or, if XFS must be run, following CERT/CC's recommendations to block access to Port 7100/TCP at the network perimeter. Nortel Networks also recommends following the mitigating practices in Sun Microsystems Inc.'s Alert Notification. <br> <br> For more information please contact Nortel at:<br> <br> North America: 1-8004NORTEL or 1-800-466-7835<br> Europe, Middle East and Africa:00800 8008 9009, or +44 (0) 870 9079009<br> <br> Contacts for other regions are available at<br> <a href="www.nortelnetworks.com/help/contact/global/">www.nortelnetworks.com/help/contact/global/</a> <!-- end vendor --> <a name="OpenBSD"></a> <h4>OpenBSD</h4> The xfs daemon in OpenBSD versions up to and including 2.6 is vulnerable. OpenBSD 2.7 and later is not. <!-- end vendor --> <a name="redhat"></a> <h4>Red Hat Inc.</h4> Red Hat Linux is not affected by this vulnerability. <!-- end vendor --> <a name="SGI"></a> <h4>SGI</h4> We're not vulnerable to this. <a name="Sun Microsystems"></a> <h4>Sun Microsystems</h4> The Solaris X font server (xfs(1)) is affected by VU#312313 in the following supported versions of Solaris:<br> <br> Solaris 2.6<br> Solaris 7<br> Solaris 8<br> Solaris 9<br> <br> Patches are being generated for all of the above releases. Sun will be publishing a Sun Alert for this issue at the following location shortly:<br> <br> <a href="http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/48879">http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/48879</a><br> <br> The patches will be available from:<br> <br> <a href="http://sunsolve.sun.com/securitypatch">http://sunsolve.sun.com/securitypatch</a> <!-- end vendor --> <a name="SuSE"></a> <h4>SuSE</h4> We are not affected. <!-- end vendor --> <a name="references"> <H2>Appendix B. - References</H2> <OL> <li><a name="ref1"> <P>ISS X-Force Security Advisory: Solaris fs.auto Remote Compromise Vulnerability - <A HREF="http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21541">http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21541</a> <li><a name="ref2"> <P>Sun Cluster 3.0 U1 Data Services Developer's Guide, Chapter 6: Sample DSDL Resource Type Implementation - <A HREF="http://docs.sun.com/db/doc/806-7072/6jfvjtg1l?q=xfs&a=view">http://docs.sun.com/db/doc/806-7072/6jfvjtg1l?q=xfs&a=view</a> <li><a name="ref3"> <P>CERT/CC Vulnerability Note: VU#312313 - <A HREF="http://www.kb.cert.org/vuls/id/312313">http://www.kb.cert.org/vuls/id/312313</a> <li><a name="ref4"> <P>CVE reference number CAN-2002-1317. Information available at <a href="http://cve.mitre.org">http://cve.mitre.org</a></li> </OL> <hr noshade> <p><i>Internet Security Systems</i> publicly <A HREF="https://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21541">reported</a> this vulnerability. <hr noshade> <p>Authors: <a href="mailto:cert@cert.org?subject=CA-2002-34%20Feedback%20VU%23312313">Ian A. Finlay and Shawn V. Hernan</a>. <p></p> <!--#include virtual="/include/footer_nocopyright.html" --> <p>Copyright 2002 Carnegie Mellon University.</p> <p>Revision History <pre> November 25, 2002: Initial release November 25, 2002: Added vendor statement for Hewlett-Packard Company November 25, 2002: Added vendor statement for Microsoft Corporation December 02, 2002: Added vendor statement for SuSE December 04, 2002: Added vendor statement for Red Hat Inc. December 05, 2002: Revised vendor statement for OpenBSD December 06, 2002: Revised vendor statement Hewlett-Packard Company December 11, 2002: Added vendor statement for IBM (Note IBM provided their statement on December 5, 2002) December 17, 2002: Added vendor statement for Nortel Networks </pre> </p> |