search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Common Desktop Environment (CDE) dtlogin XDMCP parser improperly deallocates memory

Vulnerability Note VU#179804

Original Release Date: 2004-03-24 | Last Revised: 2004-06-23

Overview

A "double-free" vulnerability in the CDE dtlogin program could allow a remote attacker to execute arbitrary code or cause a denial of service on a vulnerable system.

Description

The Common Desktop Environment (CDE) is an integrated graphical user interface that runs on UNIX and Linux operating systems. The dtlogin program contains a "double-free" vulnerability that can be triggered by a specially crafted X Display Manager Control Protocol (XDMCP) packet.

Impact

Depending on configuration, operating system, and platform architecture, an unauthenticated, remote attacker could execute arbitrary code, read sensitive information, or cause a denial of service.

Solution

The CERT/CC is currently unaware of a practical solution to this problem. Updated vendor information will be made available in the Systems Affected section below.

Block or Restrict XDMCP Traffic

Block XDMCP traffic (177/udp) from untrusted networks such as the Internet. Keep in mind that blocking ports at a network perimeter does not protect the vulnerable service from the internal network. In most cases, it is trivial for an attacker to spoof the source of a UDP packet, so restricting xdmcp access to specific IP addresses may be ineffective. Consider network configuration and service requirements before deciding what changes are appropriate.

Disable xdmcp in dtlogin

Depending on service requirements, disable XDMCP support in dtlogin.

On a SunOS 5.8 system:

/usr/dt/config/Xconfig

/etc/dt/config/Xconfig


#  To disable listening for XDMCP requests from X-terminals.
#
Dtlogin.requestPort:       0

Vendor Information

179804
 
Affected   Unknown   Unaffected

Hewlett-Packard Company

Notified:  March 23, 2004 Updated:  June 18, 2004

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see HPSBUX01038/SSRT4721.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM

Notified:  March 23, 2004 Updated:  June 18, 2004

Status

  Vulnerable

Vendor Statement

The AIX Security Team is aware of the issues discussed in CERT Vulnerability Note VU#179804.


The following APARs are available to address this issue:

    APAR number for AIX 4.3.3: IY55362 (available)
    APAR number for AIX 5.1.0: IY55361 (available)
    APAR number for AIX 5.2.0: IY55360 (available)
AIX Version 4.3.3 and Version 5 APARs can be downloaded from the eServer pSeries Fix Central web site:
If you would like to receive AIX Security Advisories via email, please visit:

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SCO

Notified:  March 23, 2004 Updated:  April 04, 2004

Status

  Vulnerable

Vendor Statement

It looks like UnixWare version 7.1.1 is affected.

Versions 7.1.2 (a.k.a Open Unix 8.0.0) and version 7.1.3 are unaffected as xdmcp is disabled by default.

We recommend that UnixWare 7.1.1 customers disable xdmcp in dtlogin as outlined in Vulnerability Note VU#179804

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI

Notified:  March 23, 2004 Updated:  May 10, 2005

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see SGI Security Advisory 20040801-01-P.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems Inc.

Notified:  March 23, 2004 Updated:  June 23, 2004

Status

  Vulnerable

Vendor Statement

Sun Microsystems Inc. is affected by this issue and is currently working on a solution. A SunAlert regarding this issue will be published shortly.

Please refer to:

For a future SunAlert addressing this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cray Inc.

Updated:  March 24, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

EMC Corporation

Updated:  March 24, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

The Open Group

Updated:  March 24, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Xi Graphics

Updated:  March 24, 2004

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

This vulnerability was publicly reported by Dave Aitel of Immunity, Inc.

This document was written by Art Manion.

Other Information

CVE IDs: CVE-2004-0368
Severity Metric: 25.82
Date Public: 2004-03-23
Date First Published: 2004-03-24
Date Last Updated: 2004-06-23 17:51 UTC
Document Revision: 23

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.