Original release date: November 25, 2002
Last revised: Tue Dec 17 08:17:32 EST 2002
A complete revision history can be found at the end of this file.
- Sun Microsystems Solaris 2.5.1 (Sparc/Intel)
- Sun Microsystems Solaris 2.6 (Sparc/Intel)
- Sun Microsystems Solaris 7 (Sparc/Intel)
- Sun Microsystems Solaris 8 (Sparc/Intel)
- Sun Microsystems Solaris 9 (Sparc)
The Solaris X Window Font Service (XFS) daemon (fs.auto) contains a remotely exploitable buffer overflow vulnerability that could allow an attacker to execute arbitrary code or cause a denial of service.
A remotely exploitable buffer overflow vulnerability exists in the Solaris X Window Font Service (XFS) daemon (fs.auto). Exploitation of this vulnerability can lead to arbitrary code execution on a vulnerable Solaris system. This vulnerability was
discovered by ISS X-Force.
The Solaris X Window Font Service (XFS) serves font files to clients. Sun describes the XFS service as follows:
The X Font Server is a simple TCP/IP-based service that serves font files to its clients. Clients connect to the server to request a font set, and the server reads the font files off the disk and serves them to the clients. The X Font
Server daemon consists of a server binary /usr/openwin/bin/xfs.
The XFS daemon is installed and running by default on all versions of the Solaris operating system. Further information about this vulnerability may be found in VU#312313.
This vulnerability is also being referred to as CAN-2002-1317 by CVE.
Note this vulnerability is in the X Window Font Server, and not the filesystem of a similar name.
A remote attacker can execute arbitrary code with the privileges of the fs.auto daemon (typically nobody) or cause a denial of service by crashing the service.
Apply a patch from your vendor
Appendix A contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not
listed below, we have not received their comments. Please contact your vendor directly.
Disable vulnerable service
Until patches can be applied, you may wish to disable the XFS daemon (fs.auto). As a best practice, the CERT/CC recommends disabling all services that are not explicitly required. On a typical Solaris system, it should be possible to disable the
fs.auto daemon by commenting out the relevant entries in /etc/inetd.conf and then restarting the inetd process.
Block access to port 7100/TCP at your network perimeter. Note that this will not protect vulnerable hosts within your network perimeter.
Appendix A. - Vendor Information
SECURITY BULLETIN: HPSBUX0212-228
Originally issued: 4 Dec 2002
reference id: CERT CA-2002-34, SSRT2429
HP Published Security Bulletin HPSBUX0212-228 with solutions for HP 9000 Series 700 and 800 running HP-UX 10.10, 10.20, 10.24, 11.00, 11.04, 11.11, and 11.22
This bulletin is available from the HP IT Resource Center page at: http://itrc.hp.com "Maintenance and Support" then "Support Information Digests" and then "hp security bulletins archive" search for bulletin
HP Tru64 UNIX, HP NonStop Servers, HP openMVS
The AIX operating system is vulnerable to the xfs issues discussed in CA-2002-34 in releases 4.3.3, 5.1.0 and 5.2.0.
IBM provides the following official fixes:
APAR number for AIX 4.3.3: IY37888 (available approx. 01/29/03)
APAR number for AIX 5.1.0: IY37886 (available approx. 04/28/03)
APAR number for AIX 5.2.0: IY37889 (available approx. 04/28/03)
A temporary patch is available through an efix package which can be found at ftp://ftp.software.ibm.com/aix/efixes/security/xfs_efix.tar.Z.
The component in question is not used in any Microsoft product.
NetBSD ships the xfs from XFree86, though its not on or used by default.
Nortel Networks products and solutions using the affected Sun Solaris operating systems may utilize the XFS daemon; it is installed and running by default on all versions of the Solaris operating system. Nortel Networks recommends either disabling this
feature or, if XFS must be run, following CERT/CC's recommendations to block access to Port 7100/TCP at the network perimeter. Nortel Networks also recommends following the mitigating practices in Sun Microsystems Inc.'s Alert Notification.
For more information please contact Nortel at:
North America: 1-8004NORTEL or 1-800-466-7835
Europe, Middle East and Africa:00800 8008 9009, or +44 (0) 870 9079009
Contacts for other regions are available at
The xfs daemon in OpenBSD versions up to and including 2.6 is vulnerable. OpenBSD 2.7 and later is not.
Red Hat Inc.
Red Hat Linux is not affected by this vulnerability.
We're not vulnerable to this.
The Solaris X font server (xfs(1)) is affected by VU#312313 in the following supported versions of Solaris:
Patches are being generated for all of the above releases. Sun will be publishing a Sun Alert for this issue at the following location shortly:
The patches will be available from:
We are not affected.
ISS X-Force Security Advisory: Solaris fs.auto Remote Compromise Vulnerability - http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21541
Sun Cluster 3.0 U1 Data Services Developer's Guide, Chapter 6: Sample DSDL Resource Type Implementation - http://docs.sun.com/db/doc/806-7072/6jfvjtg1l?q=xfs&a=view
CERT/CC Vulnerability Note: VU#312313 - http://www.kb.cert.org/vuls/id/312313
CVE reference number CAN-2002-1317. Information available at http://cve.mitre.org
Internet Security Systems publicly reported this vulnerability.
Authors: Ian A. Finlay and Shawn V. Hernan.
Copyright 2002 Carnegie Mellon University.
November 25, 2002: Initial release
November 25, 2002: Added vendor statement for Hewlett-Packard Company
November 25, 2002: Added vendor statement for Microsoft Corporation
December 02, 2002: Added vendor statement for SuSE
December 04, 2002: Added vendor statement for Red Hat Inc.
December 05, 2002: Revised vendor statement for OpenBSD
December 06, 2002: Revised vendor statement Hewlett-Packard Company
December 11, 2002: Added vendor statement for IBM (Note IBM provided their statement on December 5, 2002)
December 17, 2002: Added vendor statement for Nortel Networks