On June 11, iDefense & the X.Org Foundation released security advisories for a set of issues in extension protocol parsing code in the open source X server common code base that iDefense discovered and X.Org fixed.
Their advisories/reports are at: http://lists.freedesktop.org/archives/xorg-announce/2008-June/000578.html and: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=718 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=719 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=720 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=721 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=722 Sun has released a Security Sun Alert for the X server versions in Solaris 8, 9, 10 and OpenSolaris 2008.05 at: http://sunsolve.sun.com/search/document.do?assetkey=1-66-238686-1 Preliminary T-patches are available for Solaris 8, 9, and 10 from the locations shown in the Sun Alert - these are not fully tested yet (hence the "T" in T-patch). The fix for these issues has integrated into the X gate for Nevada in Nevada build 92, so users of SXCE or SXDE will get the fixes by upgrading to SXCE build 92 when it becomes available (probably in 3-4 weeks, though the first week of July is traditionally a holiday week in Sun's US offices, so may affect availability). Fixes for OpenSolaris 2008.05 users following the development build trains will be available when the Nevada 92 packages are pushed to the pkg.opensolaris.org repo (also probably in about 3 weeks from now). Fixes are planned for OpenSolaris 2008.05 users staying on the stable branch (i.e. nv_86 equivalent), but I do not have information yet on how or when those will be available. Fixes for users building X from the OpenSolaris sources are currently available in the Mercurial repository of the FOX project at: http://www.opensolaris.org/os/project/fox/ For users of all OS versions, the best defenses against this class of attacks is to never, ever, ever run "xhost +", and if possible, to run X with incoming TCP connections disabled, since if the attacker can't connect to your X server in the first place, they can't cause the X server to parse the protocol stream incorrectly. This is not a complete defense, as anyone who can connect to the Xserver can still exploit it, so if you're in a situation where the X users don't have root access it won't protect you from them, but it is a strong first line of defense against attacks from other machines on the network. Releases based on the Solaris Nevada train (including OpenSolaris & Solaris Express), default to "Secure by Default" mode [1], which disables incoming TCP connections to the X server. Current Solaris 10 releases offer to set the Secure by Default mode at install time. On both Solaris 10 & Nevada, the netservices command may be used to change the Secure by Default settings for all services, or the svccfg command may be used to disable listening for TCP connections for just X by running: svccfg -s svc:/application/x11/x11-server setprop options/tcp_listen=false and then restarting the X server (logout of your desktop session and log back in). On older releases, the "-nolisten tcp" flag may be appended to the X server command line in /etc/dt/config/Xservers (copied from /usr/dt/config/Xservers if it doesn't exist) or in whatever other method is being used to start the X server. See the Sun Alert for other prevention methods, such as disabling the vulnerable extensions if your applications can run effectively without them. [1] For more information about Solaris/OpenSolaris "Secure by Default", see: http://www.opensolaris.org/os/community/security/projects/sbd/ -- -Alan Coopersmith- alan.coopersmith at sun.com Sun Microsystems, Inc. - X Window System Engineering
