SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#634847

XDMCP leaks sensitive information by default configuration

Overview

An information leakage vulnerability exists in the default configuration of the X Display Management Console Protocol (XDMCP) daemon.

I. Description

On some operating systems, the X Display Manager Control Protocol (XDMCP) daemon is set to permit remote access to the local machine from any host by default. Upon a request to connect, some XDMCP daemons show a graphical list of users authorized to log in to that machine. The user then selects their username and is prompted for a password. The information leakage occurs when a system displays the username selection screen to any XDMCP client.

II. Impact

An attacker may gain sensitive information about users permitted to login to the system. This may aid in brute-force attacks against the system.

III. Solution

If remote connections to the machine are not required, disable them to mitigate attacks.

If disabling is not an option, modify the configuration file to permit remote connections from only authorized addresses. Note that this may not be sufficient to block attacks from hosts that use other methods such as IP address spoofing. In addition, implementing a firewall to permit access to the XDMCP port (177/UDP, may vary based on system) from only authorized sources on the network may also help mitigate the exploitation vulnerability.

To disable remote connections comment out the following two lines in the "Xaccess" configuration file by adding a # symbol to the beginning of each line:

    * #any host can get a login window
    * CHOOSER BROADCAST #any indirect host can get a chooser

becomes
    #* #any host can get a login window
    #* CHOOSER BROADCAST #any indirect host can get a chooser

Systems Affected
VendorStatusDate NotifiedDate Updated
CalderaVulnerable3-May-2002
MandrakeSoftVulnerable3-May-2002
Red HatNot Vulnerable15-Mar-2002
SunVulnerable15-Mar-2002

References


http://www.procheckup.com/security_info/vuln_pr0208.html
http://www.caldera.com/support/security/advisories/CSSA-1999-021.0.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0374
http://www.securityfocus.com/bid/1446
http://xforce.iss.net/static/4856.php

Credit

Our thanks to ProCheckUp for the information provided in their security bulletin, and for bringing this vulnerability to our attention.

This document was written by Jason Rafail.

Other Information

Date Public:99-08-23
Date First Published:2002-03-15
Date Last Updated:2002-05-03
CERT Advisory: 
CVE-ID(s):CVE-2000-0374
NVD-ID(s):CVE-2000-0374
US-CERT Technical Alerts: 
Metric:1.95
Document Revision:9

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2002 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader