A quiet battle is raging between a security organization and several UNIX/Linux vendors over the existence, seriousness, and need for the correction of a buffer overflow problem in the Common Desktop Environment (CDE) GUI, which runs by default on many UNIX operating systems. The CDE Subprocess Control Service daemon (dtspcd) is at the heart of this threat, which was brought to the security community’s attention by the Internet Security Systems X-Force group (ISS). The confusion stems from the fact that some vendors deny the existence of the vulnerability.
Only systems running the CDE GUI are vulnerable to the threat, but ISS points out that since CDE is usually turned on by default during the installation of many UNIX systems, it could be widespread.
Specifically, a CDE client request, through an Internet services daemon, spawns dtspcd. Dtspcd normally runs on TCP port 6112 and is granted root privileges. That is the root of this threat because, as security specialists at ISS warned CERT and various vendors about a month ago, some versions of dtspcd don’t perform proper input validation on the length of data being accepted. This can cause a buffer overflow, and, because this service already has root privileges, malicious attacks could cause code to run with root privilege on the systems.
CERT Advisory CA-2001-31 Buffer Overflow in CDE Subprocess Control Service acknowledges this report and states that this, or a similar vulnerability, has been in existence for a long time, having first been reported to CERT in March of 1999.
According to vendor responses reported by CERT, the following systems are at risk. (This list may have expanded by the time you read this column; see the CERT advisory for details.)
- IBM AIX 4.3 and 5.1
- Caldera OpenUnix 8.0 and UnixWare 7
- HP-UX 10.10, 10.20, 10.24, 11.00, 11.04, and 11.11
- Sun Solaris 7 and 8
- Compaq Tru64 Digital Unix 4.0F, 4.0G, 5.0a, 5.1, and 5.1a
- Xi Graphics DeXtop 2.1
Cray reports that UNICOS, UNICOS/mk, and CrayTools aren’t vulnerable. Fujitsu says, “UXP/V operating system is not vulnerable because it does not support any CDE components.”
To determine whether dtspcd is active on your system, look for the following:
/etc/services dtspc 6112/tcp
ISS warns that a similar CDE vulnerability became a very popular attack point a few years ago. The security company says that it advised vendors of the vulnerability, giving them an opportunity to create patches, and only went public after Caldera posted a message related to the problem on the NTBugTrak mailing list.
Point of contention
Although some companies say that this is a relatively well-known vulnerability, the fact that ISS’s X-Force team claims to have recently rediscovered it or a variation of the older flaw has caused a considerable stir. Some vendors, according to the Nov. 19, 2001 issue of Network World, are denying that the problem still exists.
At the time the Network World article was written, Sun Microsystems told the publication that its software wasn’t vulnerable and required no patch. My latest information is that the company now acknowledges a problem, saying, “The Sun dtspcd daemon is vulnerable to this buffer overflow.”
Hewlett-Packard (HP) acknowledged some CDE-related problems, but there was a disagreement between HP and ISS about which HP-UX versions needed a patch. ISS claims HP-UX 11 and 11i are still vulnerable. Despite my repeated attempts to get more information, HP didn’t reply to my requests for verification of its position on the controversy. Network World reported that an HP spokesman said that HP-UX 11 and 11i already have buffer overflow protections.
ISS’s Dan Ingevaldson, the X-Force team leader, disputes this assertion, saying that ISS has already broken the claimed buffer overflow protection and that the protection didn’t address this new vulnerability anyway. I was able to confirm that this is still ISS’s position.
Caldera, Compaq, and IBM say they already had a patch available to address the problem, although Compaq reported to CERT that it was unable “to reproduce the problem identified in this advisory for any Compaq OS.”
If you’re running a UNIX system without CDE, this threat isn’t a concern even if your particular version has a vulnerable component. For those who do implement a CDE GUI, a patch is the only fix. Sun doesn’t have a patch for Solaris’ CDE vulnerability and says that users should just turn off at-risk components such as dtspcd until a patch is available.
For the very latest patch information, see Appendix A to the CERT advisory. CERT updates this regularly as it receives new patch information from vendors; these are links to some patches (please be aware that these may change):
- AIX emergency patch
- Xi Graphics DeXtop 2.1
- Sun reports that it will post patches at Sun Patches as soon as they’re ready.
Have a comment or a question?
We look forward to getting your input and hearing your experiences regarding this topic. Post a comment or a question about this article.