search menu icon-carat-right cmu-wordmark

CERT Coordination Center


XDMCP leaks sensitive information by default configuration

Vulnerability Note VU#634847

Original Release Date: 2002-03-15 | Last Revised: 2002-05-03

Overview

An information leakage vulnerability exists in the default configuration of the X Display Management Console Protocol (XDMCP) daemon.

Description

On some operating systems, the X Display Manager Control Protocol (XDMCP) daemon is set to permit remote access to the local machine from any host by default. Upon a request to connect, some XDMCP daemons show a graphical list of users authorized to log in to that machine. The user then selects their username and is prompted for a password. The information leakage occurs when a system displays the username selection screen to any XDMCP client.

Impact

An attacker may gain sensitive information about users permitted to login to the system. This may aid in brute-force attacks against the system.

Solution

If remote connections to the machine are not required, disable them to mitigate attacks.

If disabling is not an option, modify the configuration file to permit remote connections from only authorized addresses. Note that this may not be sufficient to block attacks from hosts that use other methods such as IP address spoofing. In addition, implementing a firewall to permit access to the XDMCP port (177/UDP, may vary based on system) from only authorized sources on the network may also help mitigate the exploitation vulnerability.

To disable remote connections comment out the following two lines in the "Xaccess" configuration file by adding a # symbol to the beginning of each line:

*#any host can get a login window
* CHOOSER BROADCAST #any indirect host can get a chooser

becomes

#*#any host can get a login window
#* CHOOSER BROADCAST #any indirect host can get a chooser

Vendor Information

634847
Expand all

Caldera

Updated:  May 03, 2002

Status

  Vulnerable

Vendor Statement

See, http://www.caldera.com/support/security/advisories/CSSA-1999-021.0.txt

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft

Updated:  May 03, 2002

Status

  Vulnerable

Vendor Statement

See, http://www.mandrakesecure.net/en/advisories/2002/MDKSA-2002-025.php?dis=8.0

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Linux Mandrake version 8 is reported as vulnerable.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun

Updated:  March 15, 2002

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Solaris 2.6 and Solaris 7 are reported as vulnerable.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat

Updated:  March 15, 2002

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

Our thanks to ProCheckUp for the information provided in their security bulletin, and for bringing this vulnerability to our attention.

This document was written by Jason Rafail.

Other Information

CVE IDs: CVE-2000-0374
Severity Metric: 1.95
Date Public: 1999-08-23
Date First Published: 2002-03-15
Date Last Updated: 2002-05-03 21:29 UTC
Document Revision: 9

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.