I. Description
The Common Desktop Environment (CDE) is an integrated graphical user interface that runs on UNIX and Linux operating systems. The CDE Subprocess Control Service (dtspcd) is a network daemon that accepts requests from clients to execute commands and launch applications remotely. On systems running CDE, dtspcd is spawned by the Internet services daemon (typically inetd or xinetd) in response to a CDE client request. dtspcd is typically configured to run on port 6112/tcp with root privileges.
For more information about CDE, see
-
http://www.opengroup.org/cde/
http://www.opengroup.org/desktop/faq/
There is a remotely exploitable buffer overflow vulnerability in a shared library that is used by dtspcd. During client negotiation, dtspcd accepts a length value and subsequent data from the client without performing adequate input validation. As a result, a malicious client can manipulate data sent to dtspcd and cause a buffer overflow, potentially executing code with root privileges.
This vulnerability was first reported to us in March 1999, and more recently by Internet Security Systems (ISS) X-Force. For more information, see
-
http://www.kb.cert.org/vuls/id/172583
http://xforce.iss.net/alerts/advise101.php
This vulnerability has been assigned the identifier CAN-2001-0803
by the Common Vulnerabilities and Exposures (CVE) group:
-
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0803
Many common UNIX systems ship with CDE installed and enabled by default. To determine if your system is configured to run dtspcd, check for the following entries (may be wrapped):
-
/etc/services
-
dtspc 6112/tcp
/etc/inetd.conf
-
dtspc stream tcp nowait root /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd
Any system that does not run the CDE Subprocess Control Service is not vulnerable to this problem.
II. Impact
An attacker can execute arbitrary code with root privileges.
III. Solution
Apply a patch
Appendix A contains information from vendors who have provided information for this advisory. We will update the appendix as we receive more information. If a vendor's name does not appear, then the CERT/CC did not hear from that vendor. Please contact your vendor directly.
Limit access to vulnerable service
Until patches are available and can be applied, you may wish to limit or block access to the Subprocess Control Service from untrusted networks such as the Internet. Using a firewall or other packet-filtering technology, block or restrict access to the port used by the Subprocess Control Service. As noted above, dtspcd is typically configured to listen on port 6112/tcp. It may be possible to use TCP Wrapper or a similar technology to provide improved access control and logging functionality for dtspcd connections. Keep in mind that blocking ports at a network perimeter does not protect the vulnerable service from the internal network. It is important to understand your network configuration and service requirements before deciding what changes are appropriate. TCP Wrapper is available from
-
ftp://ftp.porcupine.org/pub/security/index.html
Disable vulnerable service
You may wish to consider disabling dtspcd by commenting out the appropriate entry in /etc/inetd.conf. As a best practice, the CERT/CC recommends disabling any services that are not explicitly required. As noted above, it is important to consider the consequences of such a change in your environment.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by
email. Our public PGP key is available from
CERT publications and other security information are available from
our web site
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
Copyright 2001 Carnegie Mellon University.
