Original release date: November 12, 2001<BR>
Last revised: May 30, 2002<br>
Source: CERT/CC<BR>
<P>A complete revision history can be found at the end of this file.
</p>
<A NAME="affected">
<H3>Systems Affected</H3>
<ul>
<li>Systems running CDE</li>
</ul>
<A NAME="overview">
<H2>Overview</H2>
<P>
There is a remotely exploitable buffer overflow vulnerability in a library function used by the CDE Subprocess Control Service. This vulnerability could be used to crash the service or to execute arbitrary code with root privileges. This vulnerability is documented in <a href="http://www.kb.cert.org/vuls/id/172583">VU#172583</a>.
</P>
<A NAME="description">
<H2>I. Description</H2>
<p>
The Common Desktop Environment (CDE) is an integrated graphical user interface that runs on UNIX and Linux operating systems. The CDE Subprocess Control Service (<font face="Courier">dtspcd</font>) is a network daemon that accepts requests from clients to execute commands and launch applications remotely. On systems running CDE, <font face="Courier">dtspcd</font> is spawned by the Internet services daemon (typically <font face="Courier">inetd</font> or <font face="Courier">xinetd</font>) in response to a CDE client request. <font face="Courier">dtspcd</font> is typically configured to run on port 6112/tcp with root privileges.
</p>
<p></p>
For more information about CDE, see
<dl>
<dd>
<a href="http://www.opengroup.org/cde/">http://www.opengroup.org/cde/</a>
<p>
</p>
<a href="http://www.opengroup.org/desktop/faq/">http://www.opengroup.org/desktop/faq/</a>
</p>
</dd>
</dl>
<P> There is a remotely exploitable buffer overflow vulnerability in a shared library that is used by <font face="Courier">dtspcd</font>. During client negotiation, <font face="Courier">dtspcd</font> accepts a length value and subsequent data from the client without performing adequate input validation. As a result, a malicious client can manipulate data sent to <font face="Courier">dtspcd</font> and cause a buffer overflow, potentially executing code with root privileges.
<p>This vulnerability was first reported to us in March 1999, and more recently by Internet Security Systems (ISS) <a href="http://xforce.iss.net/">X-Force</a>. For more information, see
<dl>
<dd>
<a href="http://www.kb.cert.org/vuls/id/172583">http://www.kb.cert.org/vuls/id/172583</a>
<p>
</p>
<a href="http://xforce.iss.net/alerts/advise101.php">http://xforce.iss.net/alerts/advise101.php</a>
</p>
</dd>
</dl>
<P>This vulnerability has been assigned the identifier CAN-2001-0803
by the Common Vulnerabilities and Exposures (<a href="http://cve.mitre.org/">CVE</a>) group:
<dl>
<dd>
<A HREF="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0803">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0803</a>
</dd>
</dl>
</p>
<p>
Many common UNIX systems ship with CDE installed and enabled by default. To determine if your system is configured to run <font face="Courier">dtspcd</font>, check for the following entries (may be wrapped):
<font face="Courier">
<dl>
<dd>
/etc/services
<p></p>
<dl>
<dd>
dtspc 6112/tcp
<p></p>
</dd>
</dl>
/etc/inetd.conf
<p></p>
<dl>
<dd>
dtspc stream tcp nowait root /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd
</dd>
</dl>
</dd>
</dl>
</font>
Any system that does not run the CDE Subprocess Control Service is not vulnerable to this problem.
<A NAME="impact">
<H2>II. Impact</H2>
<p>An attacker can execute arbitrary code with root privileges.</p>
<A NAME="solution">
<H2>III. Solution</H2>
<p>
<H4>Apply a patch</H4>
<A HREF="#vendors">Appendix A</a> contains information from vendors who have provided information for this advisory. We will update the appendix as we receive more information. If a vendor's name does not appear, then the CERT/CC did not hear from that vendor. Please contact your vendor directly.
</P>
<p>
<H4>Limit access to vulnerable service</H4>
</p>
<p>Until patches are available and can be applied, you may wish to limit or block access to the Subprocess Control Service from untrusted networks such as the Internet. Using a firewall or other packet-filtering technology, block or restrict access to the port used by the Subprocess Control Service. As noted above, <font face="Courier">dtspcd</font> is typically configured to listen on port 6112/tcp. It may be possible to use <a href="ftp://ftp.porcupine.org/pub/security/index.html">TCP Wrapper</a> or a similar technology to provide improved access control and logging functionality for <font face="Courier">dtspcd</font> connections. Keep in mind that blocking ports at a network perimeter does not protect the vulnerable service from the internal network. It is important to understand your network configuration and service requirements before deciding what changes are appropriate. <a href="ftp://ftp.porcupine.org/pub/security/index.html">TCP Wrapper</a> is available from
<dl>
<dd>
<a href="ftp://ftp.porcupine.org/pub/security/index.html">ftp://ftp.porcupine.org/pub/security/index.html</a>
</dd>
</dl>
</p>
<p>
<H4>Disable vulnerable service</H4>
</p>
<p>
You may wish to consider disabling <font face="Courier">dtspcd</font> by commenting out the appropriate entry in <font face="Courier">/etc/inetd.conf</font>. As a best practice, the CERT/CC recommends disabling any services that are not explicitly required. As noted above, it is important to consider the consequences of such a change in your environment.
</p>
<A NAME="vendors">
<H2>Appendix A. - Vendor Information</H2>
<P>This appendix contains information provided by vendors for this advisory. When vendors report new information to the CERT/CC, we
update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments.</P>
<p>
<A NAME="caldera">
<H4>Caldera, Inc.</H4>
<p>Caldera Open Unix and UnixWare are vulnerable. Caldera has released Security Advisory <a href="ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.30/CSSA-2001-SCO.30.txt">CSSA-2001-SCO.30</a> (URL wrapped):
<dl>
<dd>
<a href="ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.30/CSSA-2001-SCO.30.txt">ftp://stage.caldera.com/pub/security/openunix/<br>CSSA-2001-SCO.30/CSSA-2001-SCO.30.txt</a>
</dd>
</dl>
</p>
<!-- end vendor -->
<A NAME="compaq">
<H4>Compaq Computer Corporation</H4>
<p>Case ID SSRT0782U<br>
Compaq has not been able to reproduce the problem identified in this advisory for any Compaq OS. However, with the information available, we are including a code change for Compaq's TRU64 UNIX that will further reduce any potential overflow vulnerability. This updated code will be announced when patches are available from the TRU64 UNIX FTP site and will be included in future releases of TRU64 UNIX. The TRU64 UNIX FTP patch site is at:
<dl>
<dd>
<a href="http://ftp.support.compaq.com/public/dunix/">http://ftp.support.compaq.com/public/dunix/</a>
</dd>
</dl>
To subscribe to automatically receive future NEW Security Advisories from the Compaq's Software Security Response Team via electronic mail, use your browser select the URL:
<dl>
<dd>
<a href="http://www.support.compaq.com/patches/mailing-list.shtml">http://www.support.compaq.com/patches/mailing-list.shtml</a>
</dd>
</dl>
Select "Security and Individual Notices" for immediate dispatch notifications directly to your mailbox.
<p></p>
To report new Security Vulnerabilities, send mail to:
<dl>
<dd>
security-ssrt@compaq.com
</dd>
</dl>
In April of 2002 Compaq released the following Security Bulletin (SSRTM541):
<dl>
<dd>
<a href="http://wwss1pro.compaq.com/support/reference_library/viewdocument.asp?source=SRB0013W.xml&dt=11">http://wwss1pro.compaq.com/support/reference_library/viewdocument.asp?<br>source=SRB0013W.xml&dt=11</a>
<br><br>
<a href="http://ftp.support.compaq.com/patches/.new/html/SSRT-541.shtml">http://ftp.support.compaq.com/patches/.new/html/SSRT-541.shtml</a>
</dd>
</dl>
</p>
<!-- end vendor -->
<A NAME="cray">
<H4>Cray Inc.</H4>
<p>
UNICOS, UNICOS/mk, and CrayTools are not vulnerable.</p>
<!-- end vendor -->
<A NAME="fujitsu">
<H4>Fujitsu</H4>
Fujitsu's UXP/V operating system is not vulnerable because it does not support any CDE components.
</p>
<!-- end vendor -->
<A NAME="hp">
<H4>Hewlett-Packard Company</H4>
Hewlett-Packard has released Security Bulletin HPSBUX0111-175. Hewlett-Packard Security Bulletins are available at the IT Resource Center web site (registration required):
<dl>
<dd>
<a href="http://www.itresourcecenter.hp.com/">http://www.itresourcecenter.hp.com/</a>
</dd>
</dl>
</p>
<!-- end vendor -->
<A NAME="ibm">
<H4>IBM Corporation</H4>
The IBM AIX Development and Security teams continue to examine the source code for CDE's <font face="Courier">dtspcd</font> (sub-process control daemon). We have discovered that the fixes developed for this vulnerability three years ago are not effective at closing this security hole. We have since developed emergency fixes and APAR assignments for AIX 4.3 and 5.1 to eliminate the vulnerability (once and for all!).
<ul>
<li>For AIX 4.3, the APAR is IY25436</li>
<li>For AIX 5.1, the APAR is IY25437</li>
</ul>
To receive the emergency fix, AIX SupportLine customers can call 1-800-CALL-AIX. The emergency fix ("CDE_dtspcd_efix.tar.Z") is posted for customer download at:
<dl>
<dd>
<a href="ftp://aix.software.ibm.com/aix/efixes/security/">ftp://aix.software.ibm.com/aix/efixes/security/</a>
</dd>
</dl>
</p>
This efix also contains the efix for another buffer overflow in libDtSvc.a (efix "CDE_libDtSvc_efix.tar.Z", found in the FTP site given above). Thus, customers need only download and install this efix ("CDE_dtspcd_efix.tar.Z") to apply the two patches.
<!-- end vendor -->
<A NAME="opengroup">
<H4>The Open Group</H4>
<p>
The Open Group maintains source code for the Common Desktop Environment (CDE). The Open Group is investigating this issue, and source licensees of The Open Group's CDE product can contact <a href="mailto:desktop@opengroup.org">desktop@opengroup.org</a> for advice regarding this issue.
<!-- end vendor -->
<A NAME="sgi">
<H4>SGI</H4>
<p>
SGI has released the following documents:
<ul>
<li>SGI Security Advisory 20011107-01-P<br>
<a href="ftp://patches.sgi.com/support/free/security/advisories/20011107-01-P">ftp://patches.sgi.com/support/free/security/advisories/20011107-01-P</a></li>
<li>SGI Security Advisory 20020302-01-A<br>
<a href="ftp://patches.sgi.com/support/free/security/advisories/20020302-01-A">ftp://patches.sgi.com/support/free/security/advisories/20020302-01-A</a></li>
</ul>
</p>
<!-- end vendor -->
<A NAME="sun">
<H4>Sun</H4>
<p>
Sun has released Security Bulletin #00214:
<dl>
<dd>
<a href="http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/214">http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/214</a>
</dd>
</dl>
Sun has also published Sun Alert Notification 41764:
<dl>
<dd>
<a href="http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=salert/41764">http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=salert/41764</a>
</dd>
</dl>
</p>
<!-- end vendor -->
<A NAME="xig">
<H4>Xi Graphics</H4>
<p>
Xi Graphics DeXtop 2.1 is vulnerable. Further information and a patch are available at the following locations:
<dl>
<dd>
<a href="ftp://ftp.xig.com/updates/dextop/2.1/DEX2100.012.txt">ftp://ftp.xig.com/updates/dextop/2.1/DEX2100.012.txt</a>
<p>
</p>
<a href="ftp://ftp.xig.com/updates/dextop/2.1/DEX2100.012.tar.gz">ftp://ftp.xig.com/updates/dextop/2.1/DEX2100.012.tar.gz</a>
</dd>
</dl>
</p>
<!-- end vendor -->
</p>
<A NAME="references"><H2>Appendix B. - References</H2></A>
<ol>
<li><a href="http://www.kb.cert.org/vuls/id/172583">http://www.kb.cert.org/vuls/id/172583</a><BR>
<li><A HREF="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0803">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0803</a><br>
<li><a href="http://xforce.iss.net/alerts/advise101.php">http://xforce.iss.net/alerts/advise101.php</a><br>
<li><a href="http://www.opengroup.org/cde/">http://www.opengroup.org/cde/</a><br>
<li><a href="http://www.opengroup.org/desktop/faq/">http://www.opengroup.org/desktop/faq/</a><BR>
</ol>
<HR>
<HR NOSHADE>
<P>The CERT Coordination Center thanks Internet Security Systems (ISS) <a href="http://xforce.iss.net/">X-Force</a>, who published an <a href="http://xforce.iss.net/alerts/advise101.php">advisory</a> on this issue.
<P></P>
<HR NOSHADE>
<P>Author: <A HREF="mailto:cert@cert.org?subject=CA-2001-27%20Feedback%20VU%23595507">Art Manion</A>
<P></P>
<!--#include virtual="/include/footer_nocopyright.html" -->
<P>Copyright 2001 Carnegie Mellon University.</P>
<P>Revision History
<PRE>
November 12, 2001: initial release, added workaround to disable vulnerable service
November 13, 2001: updated vendor information for HP
November 15, 2001: updated vendor information for IBM, Xi Graphics
November 16, 2001: updated vendor information for IBM
November 30, 2001: updated vendor information for SGI
December 17, 2001: updated vendor information for IBM
January 10, 2002: updated vendor information for Sun
April 3, 2002: updated vendor information for SGI
May 30, 2002: updated vendor information for Compaq
</PRE>
|