Buffer Overflow in Solaris X Window Font Service
Last revised: Tue Dec 17 08:17:32 EST 2002
A complete revision history can be found at the end of this file.
- Sun Microsystems Solaris 2.5.1 (Sparc/Intel)
- Sun Microsystems Solaris 2.6 (Sparc/Intel)
- Sun Microsystems Solaris 7 (Sparc/Intel)
- Sun Microsystems Solaris 8 (Sparc/Intel)
- Sun Microsystems Solaris 9 (Sparc)
OverviewThe Solaris X Window Font Service (XFS) daemon (fs.auto) contains a remotely exploitable buffer overflow vulnerability that could allow an attacker to execute arbitrary code or cause a denial of service.
A remotely exploitable buffer overflow vulnerability exists in the Solaris X Window Font Service (XFS) daemon (fs.auto). Exploitation of this vulnerability can lead to arbitrary code execution on a vulnerable Solaris system. This vulnerability was discovered by ISS X-Force.
The Solaris X Window Font Service (XFS) serves font files to clients. Sun describes the XFS service as follows:
The X Font Server is a simple TCP/IP-based service that serves font files to its clients. Clients connect to the server to request a font set, and the server reads the font files off the disk and serves them to the clients. The X Font Server daemon consists of a server binary /usr/openwin/bin/xfs.The XFS daemon is installed and running by default on all versions of the Solaris operating system. Further information about this vulnerability may be found in VU#312313.
This vulnerability is also being referred to as CAN-2002-1317 by CVE.
Apply a patch from your vendor
Appendix A contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Please contact your vendor directly.
Disable vulnerable service
Until patches can be applied, you may wish to disable the XFS daemon (fs.auto). As a best practice, the CERT/CC recommends disabling all services that are not explicitly required. On a typical Solaris system, it should be possible to disable the fs.auto daemon by commenting out the relevant entries in /etc/inetd.conf and then restarting the inetd process.
WorkaroundsBlock access to port 7100/TCP at your network perimeter. Note that this will not protect vulnerable hosts within your network perimeter.
Appendix A. - Vendor Information
Hewlett-Packard CompanyHEWLETT-PACKARD COMPANY
SECURITY BULLETIN: HPSBUX0212-228
Originally issued: 4 Dec 2002
reference id: CERT CA-2002-34, SSRT2429
HP Published Security Bulletin HPSBUX0212-228 with solutions for HP 9000 Series 700 and 800 running HP-UX 10.10, 10.20, 10.24, 11.00, 11.04, 11.11, and 11.22
This bulletin is available from the HP IT Resource Center page at: http://itrc.hp.com "Maintenance and Support" then "Support Information Digests" and then "hp security bulletins archive" search for bulletin HPSBUX0212-228.
HP Tru64 UNIX, HP NonStop Servers, HP openMVS
IBMThe AIX operating system is vulnerable to the xfs issues discussed in CA-2002-34 in releases 4.3.3, 5.1.0 and 5.2.0.
IBM provides the following official fixes:
APAR number for AIX 4.3.3: IY37888 (available approx. 01/29/03)
APAR number for AIX 5.1.0: IY37886 (available approx. 04/28/03)
APAR number for AIX 5.2.0: IY37889 (available approx. 04/28/03)
A temporary patch is available through an efix package which can be found at ftp://ftp.software.ibm.com/aix/efixes/security/xfs_efix.tar.Z.
Microsoft CorporationThe component in question is not used in any Microsoft product.
NetBSDNetBSD ships the xfs from XFree86, though its not on or used by default.
Nortel NetworksNortel Networks products and solutions using the affected Sun Solaris operating systems may utilize the XFS daemon; it is installed and running by default on all versions of the Solaris operating system. Nortel Networks recommends either disabling this feature or, if XFS must be run, following CERT/CC's recommendations to block access to Port 7100/TCP at the network perimeter. Nortel Networks also recommends following the mitigating practices in Sun Microsystems Inc.'s Alert Notification.
For more information please contact Nortel at:
North America: 1-8004NORTEL or 1-800-466-7835
Europe, Middle East and Africa:00800 8008 9009, or +44 (0) 870 9079009
Contacts for other regions are available at
OpenBSDThe xfs daemon in OpenBSD versions up to and including 2.6 is vulnerable. OpenBSD 2.7 and later is not.
Red Hat Inc.Red Hat Linux is not affected by this vulnerability.
SGIWe're not vulnerable to this.
Sun MicrosystemsThe Solaris X font server (xfs(1)) is affected by VU#312313 in the following supported versions of Solaris:
Patches are being generated for all of the above releases. Sun will be publishing a Sun Alert for this issue at the following location shortly:
The patches will be available from:
SuSEWe are not affected.
ISS X-Force Security Advisory: Solaris fs.auto Remote Compromise Vulnerability - http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21541
Sun Cluster 3.0 U1 Data Services Developer's Guide, Chapter 6: Sample DSDL Resource Type Implementation - http://docs.sun.com/db/doc/806-7072/6jfvjtg1l?q=xfs&a=view
CERT/CC Vulnerability Note: VU#312313 - http://www.kb.cert.org/vuls/id/312313
CVE reference number CAN-2002-1317. Information available at http://cve.mitre.org
Internet Security Systems publicly reported this vulnerability.
Authors: Ian A. Finlay and Shawn V. Hernan.
Copyright 2002 Carnegie Mellon University.
November 25, 2002: Initial release November 25, 2002: Added vendor statement for Hewlett-Packard Company November 25, 2002: Added vendor statement for Microsoft Corporation December 02, 2002: Added vendor statement for SuSE December 04, 2002: Added vendor statement for Red Hat Inc. December 05, 2002: Revised vendor statement for OpenBSD December 06, 2002: Revised vendor statement Hewlett-Packard Company December 11, 2002: Added vendor statement for IBM (Note IBM provided their statement on December 5, 2002) December 17, 2002: Added vendor statement for Nortel Networks