Priority Unix Vulnerability Announcement

ProCheckUp would like to bring to the attention of the IT community an important vulnerability that was discovered in popular Unix operating systems.

Anonymous XDMCP connections allow remote attackers, by using a command built within the vast majority of Unix boxes, to obtain a remote console identical to a local X-Windows session. The mitigating factor preventing full remote control, is that the attacker still has to authenticate to X-Windows. However, recently this has become easier as newer implementations of Unix desktops display a graphical list of users, which exist on that Unix box. After authentication, the attacker has complete remote control over the machine. This vulnerability appears to affect all versions of Sun Solaris and versions of Linux Mandrake up to 8.1, we feel that other Unix boxes may also be susceptible (see Fig 1 below).

This is a serious vulnerability that was found on customers Internet connected servers. The ProCheckUp technicians were surprised that this existed and performed an initial search for information. It was evident that this had been overlooked and no activity could be identified in this area since early 1999.

This was relayed to CERT on 01/03/2002 in the normal way for processing, validation and distribution to the Vendor community.

In all cases it is important that the vendor community become aware of new vulnerabilities before news of them are them are released to the IT world. This enables valid users to apply software patches or fixes that disable the “back door” into the system.

A test for an open source scanning tool has just been released for XDMCP. Because this particular scanner is free, and easily downloaded, it is widely used by the hacking community. The implication is that hackers will know of the vulnerability before the User community. As a result some IT networks and consequently company information and business data may be at risk.

We are therefore taking this necessary step to warn the IT community that this could now be common knowledge to the hacker community and in some circumstances urgent action may be necessary.

For details and fix information go to:

www.procheckup.com/security_info/vuln_pr0208.html

Contact Steve Knight on 020 7307 5001 to obtain any further comment from ProCheckUp.