A known vulnerability in a popular graphical user interface (GUI) for Unix and Linux systems has been exploited on Sun Microsystems' Solaris operating system and users should patch their systems.
The Computer Emergency Response Team (CERT) announced Wednesday that someone has exploited a buffer-overflow vulnerability in the library function used by the CDE Subprocess Control Service. The vulnerability can allow an attacker to gain complete control of the system.
"It's pretty simple to find, just a matter of scanning for the service," said Art Manion, an Internet security analyst with CERT.
The Common Desktop Environment (CDE) is a popular graphical user interface for Unix systems from companies including Hewlett-Packard, Sun Microsystems, IBM and Digital Equipment Corp. (now owned by Compaq). CDE comes installed and enabled by default on most Unix systems.
The CDE Subprocess Control Service (dtspcd), according to a CERT advisory, is a network daemon that accepts remote requests to execute commands and launch applications. CERT adds that on CDE systems, dtspcd is spawned by the Internet services daemon (inetd or xinetd) in response to a CDE client request. Dtspcd is typically configured to run on port 6112/tcp with root privileges, CERT said. Network administrators are advised to monitor activity on this port, used by many Internet-enabled games, for legitimacy, CERT said.
CERT has known about the buffer overflow vulnerability, a fairly common one in software, since 1999 but this is the first time it has heard that its been exploited. Last November, CERT released an advisory warning CDE users of the buffer overflow problem.
The Honeynet Project recently found someone exploited the vulnerability in one of its Solaris systems. The Project maintains systems as targets to hackers to learn more about their techniques.
Users should consider patching their systems as finding the vulnerability is just a mattering of scanning for the port used by the Subprocess Control Service, Manion said. Packet-filtering technology such as a firewall can also be used to block or restrict access outsiders from accessing the port.