CERT/CC Vulnerability Note VU#179804

Overview

A "double-free" vulnerability in the CDE dtlogin program could allow a remote attacker to execute arbitrary code or cause a denial of service on a vulnerable system.

Description

The Common Desktop Environment (CDE) is an integrated graphical user interface that runs on UNIX and Linux operating systems. The dtlogin program contains a "double-free" vulnerability that can be triggered by a specially crafted X Display Manager Control Protocol (XDMCP) packet.

Impact

Depending on configuration, operating system, and platform architecture, an unauthenticated, remote attacker could execute arbitrary code, read sensitive information, or cause a denial of service.

Solution

The CERT/CC is currently unaware of a practical solution to this problem. Updated vendor information will be made available in the Systems Affected section below.

Block or Restrict XDMCP Traffic

Block XDMCP traffic (177/udp) from untrusted networks such as the Internet. Keep in mind that blocking ports at a network perimeter does not protect the vulnerable service from the internal network. In most cases, it is trivial for an attacker to spoof the source of a UDP packet, so restricting xdmcp access to specific IP addresses may be ineffective. Consider network configuration and service requirements before deciding what changes are appropriate.

Disable xdmcp in dtlogin

Depending on service requirements, disable XDMCP support in dtlogin.

On a SunOS 5.8 system:

/usr/dt/config/Xconfig
/etc/dt/config/Xconfig

# To disable listening for XDMCP requests from X-terminals.
#
Dtlogin.requestPort: 0

Vendor Information

179804

Filter by status:

Filter by content: Additional information available

Sort by:

Expand all

Hewlett-Packard Company Affected

Notified: March 23, 2004 Updated: June 18, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see HPSBUX01038/SSRT4721.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM Affected

Notified: March 23, 2004 Updated: June 18, 2004

Status

Affected

Vendor Statement

The AIX Security Team is aware of the issues discussed in CERT Vulnerability Note VU#179804.

The following APARs are available to address this issue:

AIX Version 4.3.3 and Version 5 APARs can be downloaded from the eServer pSeries Fix Central web site:

http://www-912.ibm.com/eserver/support/fixes/fcgui.jsp

If you would like to receive AIX Security Advisories via email, please visit:

https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SCO Affected

Notified: March 23, 2004 Updated: April 04, 2004

Status

Affected

Vendor Statement

It looks like UnixWare version 7.1.1 is affected.

Versions 7.1.2 (a.k.a Open Unix 8.0.0) and version 7.1.3 are unaffected as xdmcp is disabled by default.

We recommend that UnixWare 7.1.1 customers disable xdmcp in dtlogin as outlined in Vulnerability Note VU#179804

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI Affected

Notified: March 23, 2004 Updated: May 10, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see SGI Security Advisory 20040801-01-P.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems Inc. Affected

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was publicly reported by Dave Aitel of Immunity, Inc.

This document was written by Art Manion.

Other Information

CVE IDs:	CVE-2004-0368
Severity Metric:	25.82
Date Public:	2004-03-23
Date First Published:	2004-03-24
Date Last Updated:	2004-06-23 17:51 UTC
Document Revision:	23

Software Engineering Institute

CERT Coordination Center

Common Desktop Environment (CDE) dtlogin XDMCP parser improperly deallocates memory

Vulnerability Note VU#179804

Overview

Description

Impact

Solution

Vendor Information

Hewlett-Packard Company Affected

Status

Vendor Statement

Vendor Information

Addendum

IBM Affected

Status

Vendor Statement

Vendor Information

Addendum

SCO Affected

Status

Vendor Statement

Vendor Information

Addendum

SGI Affected

Status

Vendor Statement

Vendor Information

Addendum

Sun Microsystems Inc. Affected

Status

Vendor Statement

Vendor Information

Addendum

Cray Inc. Unknown

Status

Vendor Statement

Vendor Information

Addendum

EMC Corporation Unknown

Status

Vendor Statement

Vendor Information

Addendum

The Open Group Unknown

Status

Vendor Statement

Vendor Information

Addendum

Xi Graphics Unknown

Status

Vendor Statement

Vendor Information

Addendum

CVSS Metrics

References

Acknowledgements

Other Information

Contact CERT/CC