CERT Warns of Solaris Font Flaw

By Ryan Naraine (Send Email)
Posted Nov 27, 2002


A buffer overflow in the X Window Font System on Sun's Solaris operating system can could let an attacker execute code or cause a denial-of-service (DoS) attack, according to a warning from the CERT Coordination Center. Sun Wednesday confirmed the security flaw in its X Window Font System and offered a workaround until a comprehensive patch can be issued.

The security flaws affect versions 2.5.1, 2.6, 7 and 8 (Sparc and Intel platforms) and version 9 (Sparc only). CERT urged that the fs.auto daemon be disabled until patches can be applied.

The flaw was found in Sun's Solaris X Window Font Service (XFS), which serves font files to users. The XFS daemon (fs.auto), which ships with Solaris and included in some other operating systems, contains the bug that could let a remote attacker execute arbitrary code with the privileges of the fs.auto daemon (typically nobody) or cause a denial-of-service by crashing the service.

Sun issued a security bulletin of its won, confirming the security flaw and offered a workaround until a comprehensive patch can be issued.

Sun joined CERT in urging clients to disable the XFS daemon as a temporary security measure. It said users should also block access to port 7100/TCP on firewalls to guard against possible external, but not internal, exploitation on the flaw.

The release of the vulnerability without a vendor fix continues to cause controversy among security consultants who argue that vendors aren't being given enough time to react to security holes found by third-party firms.

In this case, one expert explained, the Solaris flaw was detected by the Internet Security Systems (ISS) X-Serve unit and released before a comprehensive fix was made available.

The ISS said Sun confirmed patches would be made available on November 25 to coincide with the release of its advisory but sun "rescheduled the patch release" after the bulletin was published. ISS notified Sun of the vulnerability on November 16.

Criticisms have dogged ISS in the past for jumping the gun and releasing software flaws before a company can work on patches.

Page 1 of 1


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.