Vulnerability Note VU#634847

XDMCP leaks sensitive information by default configuration

Original Release date: 15 Mar 2002 | Last revised: 03 May 2002

Overview

An information leakage vulnerability exists in the default configuration of the X Display Management Console Protocol (XDMCP) daemon.

Description

On some operating systems, the X Display Manager Control Protocol (XDMCP) daemon is set to permit remote access to the local machine from any host by default. Upon a request to connect, some XDMCP daemons show a graphical list of users authorized to log in to that machine. The user then selects their username and is prompted for a password. The information leakage occurs when a system displays the username selection screen to any XDMCP client.

Impact

An attacker may gain sensitive information about users permitted to login to the system. This may aid in brute-force attacks against the system.

Solution

If remote connections to the machine are not required, disable them to mitigate attacks.

If disabling is not an option, modify the configuration file to permit remote connections from only authorized addresses. Note that this may not be sufficient to block attacks from hosts that use other methods such as IP address spoofing. In addition, implementing a firewall to permit access to the XDMCP port (177/UDP, may vary based on system) from only authorized sources on the network may also help mitigate the exploitation vulnerability.

To disable remote connections comment out the following two lines in the "Xaccess" configuration file by adding a # symbol to the beginning of each line:

    * #any host can get a login window
    * CHOOSER BROADCAST #any indirect host can get a chooser

becomes
    #* #any host can get a login window
    #* CHOOSER BROADCAST #any indirect host can get a chooser

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
CalderaAffected-03 May 2002
MandrakeSoftAffected-03 May 2002
SunAffected-15 Mar 2002
Red HatNot Affected-15 Mar 2002
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Our thanks to ProCheckUp for the information provided in their security bulletin, and for bringing this vulnerability to our attention.

This document was written by Jason Rafail.

Other Information

  • CVE IDs: CVE-2000-0374
  • Date Public: 23 Aug 99
  • Date First Published: 15 Mar 2002
  • Date Last Updated: 03 May 2002
  • Severity Metric: 1.95
  • Document Revision: 9

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.