CERT: Exploit circulating for CDE hole in Solaris

Hackers are actively exploiting a known vulnerability in Sun Microsystems Inc.’s Solaris version of the Unix operating system, security experts said Jan. 14, urging administrators to check if their system is vulnerable.

The U.S.-government funded Computer Emergency Response Team/Coordination Center (CERT/CC) at Carnegie Mellon University in Pittsburgh said in an advisory that it had received “credible reports” of an exploit for Solaris systems. An exploit is a software tool that can be used to break into computer systems and that is often used by hackers.

The exploit takes advantage of a buffer overflow vulnerability that was first discovered in March 1999. The flaw in a library function used by the CDE (Common Desktop Environment) could allow an attacker to take full control over the system, CERT/CC said. CDE is a graphical user interface that is typically installed by default on Unix systems.

CDE is “a fairly widespread product on Unix platforms” and is included in products from Sun Microsystems Inc., IBM Corp., Hewlett-Packard Co. and Compaq Computer Corp., according to Art Manion, an Internet security analyst with CERT/CC.

The CDE Subprocess Control Service (dtspcd) is a network daemon that accepts requests from remote clients to execute commands and launch programs remotely. The service does not perform adequate input validation, as a result of which a malicious client could manipulate data sent and cause a buffer overflow, according to CERT/CC.

CERT/CC advises administrators to check if a system is configured to run dtspcd by looking for the entries “dtspc 6112/tcp” in “/etc/services” and “dtspc stream tcp nowait root /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd” in “/etc/inetd.conf”.

Many Unix and Linux flavours are vulnerable and many vendors have long issued patches to fix the problem. Any system that does not run dtspcd is not vulnerable to this problem.

Though information about the flaw in CDE has been available since 1999, CERT/CC issued its first advisory on the matter late last year, Manion said. Tuesday’s advisory was the result of evidence, obtained from the online computer security research group the Honeynet Project, that the bug is being attacked, he said.

Despite information about the bug being available for so long, it’s “entirely possible” that there are a significant number of CDE users who have not patched their systems, Manion said. He is not aware of any compromises as a result of the vulnerability, but he urged CDE users to apply the patch, to block access from untrusted networks to the Subprocess Control Service and to monitor for activity related to the service.

The CERT/CC advisory can be found at http://www.cert.org/advisories/CA-2002-01.html

CERT/CC, in Pittsburgh, can be contacted at http://www.cert.org/.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now