__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Common Desktop Environment (CDE) dtlogin XDMCP parser Vulnerability [US-CERT Vulnerability Note VU#179804] April 28, 2004 20:00 GMT Number O-129 [REVISED 29 Apr 2004] ______________________________________________________________________________ PROBLEM: The Common Desktop Environment (CDE) is an integrated graphical user interface that runs on UNIX and Linux operating systems. The dtlogin program contains a vulnerability. PLATFORM: - HP Tru64 UNIX 5.1B PK3(BL24) HP Tru64 UNIX 5.1B PK2 (BL22) HP Tru64 UNIX 5.1A PK6 (BL24) HP Tru64 UNIX 4.0G PK4 (BL22) HP Tru64 UNIX 4.0F PK8 (BL22) - IBM AIX 4.3, 5.1 and 5.2 See US CERT VU#179804 for listing of UNIX/Linux Systems Affected. DAMAGE: Dtlogin contains a"double-free" vulnerability. It can be triggered by a specially crafted X Display Manager Control Protocol (XDMCP) packet that allows an unauthenticated, remote attacker to execute arbitrary code, read sensitive information, or cause a denial of service. SOLUTION: Install patches as available. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. May allow remote attacker to execute ASSESSMENT: arbitrary code or cause a denial of service. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-129.shtml ORIGINAL BULLETIN: http://www.kb.cert.org/vuls/id/179804 Monitor the US-CERT Vulnerability Note for vendor updates. ADDITIONAL LINK: Visit Hewlett Packard's Subscription Service for: HP Security Bulletin HPSBTU01017 (SSRT4721) IBM MSS Advisory MSS-OAR-E01-2004:0545.1 http://www-1.ibm.com/services/continuity/recover1.nsf/mss/ MSS-OAR-E01-2004.0545.1 CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2004-0368 ______________________________________________________________________________ REVISION HISTORY: 04/29/04 - added link to IBM MSS Advisory MSS-OAR-E01-2004:0545.1 that provides patches for this vulnerability. [***** Start US-CERT Vulnerability Note VU#179804 *****] Vulnerability Note VU#179804 Common Desktop Environment (CDE) dtlogin XDMCP parser improperly deallocates memory Overview A "double-free" vulnerability in the CDE dtlogin program could allow a remote attacker to execute arbitrary code or cause a denial of service on a vulnerable system. I. Description The Common Desktop Environment (CDE) is an integrated graphical user interface that runs on UNIX and Linux operating systems. The dtlogin program contains a "double-free" vulnerability that can be triggered by a specially crafted X Display Manager Control Protocol (XDMCP) packet. II. Impact Depending on configuration, operating system, and platform architecture, an unauthenticated, remote attacker could execute arbitrary code, read sensitive information, or cause a denial of service. III. Solution The CERT/CC is currently unaware of a practical solution to this problem. Updated vendor information will be made available in the Systems Affected section below. Block or Restrict XDMCP Traffic Block XDMCP traffic (177/udp) from untrusted networks such as the Internet. Keep in mind that blocking ports at a network perimeter does not protect the vulnerable service from the internal network. In most cases, it is trivial for an attacker to spoof the source of a UDP packet, so restricting xdmcp access to specific IP addresses may be ineffective. Consider network configuration and service requirements before deciding what changes are appropriate. Disable xdmcp in dtlogin Depending on service requirements, disable XDMCP support in dtlogin. On a SunOS 5.8 system: /usr/dt/config/Xconfig # To disable listening for XDMCP requests from X-terminals. # Dtlogin.requestPort: 0 Systems Affected Vendor Status Date Updated Cray Inc. Unknown 24-Mar-2004 EMC Corporation Unknown 24-Mar-2004 Hewlett-Packard Company Unknown 24-Mar-2004 IBM Unknown 24-Mar-2004 SCO Vulnerable 4-Apr-2004 SGI Unknown 24-Mar-2004 Sun Microsystems Inc. Vulnerable 4-Apr-2004 The Open Group Unknown 24-Mar-2004 Xi Graphics Unknown 24-Mar-2004 References http://lists.immunitysec.com/pipermail/dailydave/2004-March/000402.html http://www.securityfocus.com/archive/1/358380 http://www.securityfocus.com/archive/1/358426 http://secunia.com/advisories/11210/ http://secunia.com/advisories/11214/ Credit This vulnerability was publicly reported by Dave Aitel of Immunity, Inc. This document was written by Art Manion. Other Information Date Public 03/23/2004 Date First Published 03/24/2004 12:25:38 AM Date Last Updated 04/04/2004 CERT Advisory CVE Name CAN-2004-0368 Metric 25.82 Document Revision 21 If you have feedback, comments, or additional information about this vulnerability, please send us email. [***** End US-CERT Vulnerability Note VU#179804 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of US-CERT for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) O-119: HP Tru64 UNIX WU-FTPD Security Vulnerabilities O-120: HP Web Jetadmin Security Vulnerabilities O-121: Debian linux-kernel-2.4.17 and 2.4.18 Vulnerabilities O-122: Red Hat Updated OpenOffice Packages Fix Security Vulnearbility in Neon O-123: Debian 483-1 MySQL O-124: Cisco TCP Vulnerabilities in Multiple Cisco Products O-125: Cisco Vulnerabilities in SNMP Message Processing O-126: Red Hat Updated Kernel Packages Fix Several Vulnerabilities O-127: Debian linux-kernel-2.4.16 Vulnerabilities O-128: Apache HTTP Server 2.0.49 Release Fixes Security Vulnerabilities