CERT-SEI

Buffer Overflow in Solaris X Window Font Service

Original release date: November 25, 2002
Last revised: Tue Dec 17 08:17:32 EST 2002
Source: CERT/CC

A complete revision history can be found at the end of this file.

Systems Affected

  • Sun Microsystems Solaris 2.5.1 (Sparc/Intel)
  • Sun Microsystems Solaris 2.6 (Sparc/Intel)
  • Sun Microsystems Solaris 7 (Sparc/Intel)
  • Sun Microsystems Solaris 8 (Sparc/Intel)
  • Sun Microsystems Solaris 9 (Sparc)

Overview

The Solaris X Window Font Service (XFS) daemon (fs.auto) contains a remotely exploitable buffer overflow vulnerability that could allow an attacker to execute arbitrary code or cause a denial of service.

I. Description

A remotely exploitable buffer overflow vulnerability exists in the Solaris X Window Font Service (XFS) daemon (fs.auto). Exploitation of this vulnerability can lead to arbitrary code execution on a vulnerable Solaris system. This vulnerability was discovered by ISS X-Force.

The Solaris X Window Font Service (XFS) serves font files to clients. Sun describes the XFS service as follows:

The X Font Server is a simple TCP/IP-based service that serves font files to its clients. Clients connect to the server to request a font set, and the server reads the font files off the disk and serves them to the clients. The X Font Server daemon consists of a server binary /usr/openwin/bin/xfs.
The XFS daemon is installed and running by default on all versions of the Solaris operating system. Further information about this vulnerability may be found in VU#312313.
http://www.kb.cert.org/vuls/id/312313

This vulnerability is also being referred to as CAN-2002-1317 by CVE.

Note this vulnerability is in the X Window Font Server, and not the filesystem of a similar name.

II. Impact

A remote attacker can execute arbitrary code with the privileges of the fs.auto daemon (typically nobody) or cause a denial of service by crashing the service.

III. Solution

Apply a patch from your vendor

Appendix A contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Please contact your vendor directly.

Disable vulnerable service

Until patches can be applied, you may wish to disable the XFS daemon (fs.auto). As a best practice, the CERT/CC recommends disabling all services that are not explicitly required. On a typical Solaris system, it should be possible to disable the fs.auto daemon by commenting out the relevant entries in /etc/inetd.conf and then restarting the inetd process.

Workarounds

Block access to port 7100/TCP at your network perimeter. Note that this will not protect vulnerable hosts within your network perimeter.

Appendix A. - Vendor Information

Hewlett-Packard Company

HEWLETT-PACKARD COMPANY
SECURITY BULLETIN: HPSBUX0212-228
Originally issued: 4 Dec 2002

reference id:  CERT CA-2002-34, SSRT2429
 
HP Published Security Bulletin HPSBUX0212-228 with solutions for HP 9000 Series 700 and 800 running HP-UX 10.10, 10.20, 10.24, 11.00, 11.04, 11.11, and 11.22
 
This bulletin is available from the HP IT Resource Center page at: http://itrc.hp.com  "Maintenance and Support" then "Support Information Digests" and then "hp security bulletins archive" search for bulletin HPSBUX0212-228.

NOT IMPACTED:

HP Tru64 UNIX, HP NonStop Servers, HP openMVS

IBM

The AIX operating system is vulnerable to the xfs issues discussed in CA-2002-34 in releases 4.3.3, 5.1.0 and 5.2.0.

IBM provides the following official fixes:

     APAR number for AIX 4.3.3: IY37888 (available approx. 01/29/03)
     APAR number for AIX 5.1.0: IY37886 (available approx. 04/28/03)
     APAR number for AIX 5.2.0: IY37889 (available approx. 04/28/03)

A temporary patch is available through an efix package which can be found at ftp://ftp.software.ibm.com/aix/efixes/security/xfs_efix.tar.Z.

Microsoft Corporation

The component in question is not used in any Microsoft product.

NetBSD

NetBSD ships the xfs from XFree86, though its not on or used by default.

Nortel Networks

Nortel Networks products and solutions using the affected Sun Solaris operating systems may utilize the XFS daemon; it is installed and running by default on all versions of the Solaris operating system. Nortel Networks recommends either disabling this feature or, if XFS must be run, following CERT/CC's recommendations to block access to Port 7100/TCP at the network perimeter. Nortel Networks also recommends following the mitigating practices in Sun Microsystems Inc.'s Alert Notification.

For more information please contact Nortel at:

North America: 1-8004NORTEL or 1-800-466-7835
Europe, Middle East and Africa:00800 8008 9009, or +44 (0) 870 9079009

Contacts for other regions are available at
www.nortelnetworks.com/help/contact/global/

OpenBSD

The xfs daemon in OpenBSD versions up to and including 2.6 is vulnerable. OpenBSD 2.7 and later is not.

Red Hat Inc.

Red Hat Linux is not affected by this vulnerability.

SGI

We're not vulnerable to this.

Sun Microsystems

The Solaris X font server (xfs(1)) is affected by VU#312313 in the following supported versions of Solaris:

Solaris 2.6
Solaris 7
Solaris 8
Solaris 9

Patches are being generated for all of the above releases.  Sun will be publishing a Sun Alert for this issue at the following location shortly:

http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/48879

The patches will be available from:

http://sunsolve.sun.com/securitypatch

SuSE

We are not affected.

Appendix B. - References

  1. ISS X-Force Security Advisory: Solaris fs.auto Remote Compromise Vulnerability - http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21541

  2. Sun Cluster 3.0 U1 Data Services Developer's Guide, Chapter 6: Sample DSDL Resource Type Implementation - http://docs.sun.com/db/doc/806-7072/6jfvjtg1l?q=xfs&a=view

  3. CERT/CC Vulnerability Note: VU#312313 - http://www.kb.cert.org/vuls/id/312313

  4. CVE reference number CAN-2002-1317. Information available at http://cve.mitre.org


Internet Security Systems publicly reported this vulnerability.


Authors: Ian A. Finlay and Shawn V. Hernan.

Copyright 2002 Carnegie Mellon University.

Revision History

November 25, 2002: Initial release
November 25, 2002: Added vendor statement for Hewlett-Packard Company
November 25, 2002: Added vendor statement for Microsoft Corporation
December 02, 2002: Added vendor statement for SuSE
December 04, 2002: Added vendor statement for Red Hat Inc.
December 05, 2002: Revised vendor statement for OpenBSD
December 06, 2002: Revised vendor statement Hewlett-Packard Company
December 11, 2002: Added vendor statement for IBM (Note IBM provided their statement on December 5, 2002)
December 17, 2002: Added vendor statement for Nortel Networks