IT organizations should take seriously two recently announced security holes in a common GUI for Linux and Unix systems, experts say.
Late last week, the CERT Coordination Center at Pittsburgh-based Carnegie Mellon University released an advisory about two vulnerabilities in CDE (Common Desktop Environment) ToolTalk, a common GUI that runs on a host of Linux and Unix flavors.
The more serious of the two could allow remote attackers to commit denial of service attacks against affected servers, CERT said in its advisory. The lesser allows local attackers to escalate their system privileges. Both vulnerabilities involve the ToolTalk RPC database server in the CDE, which manages communications between ToolTalk applications.
"Both are very serious as they allow the arbitrary overwriting of files as root," said Ken Robson, a Unix specialist in Denmark. "If patches from vendors are not already available then packet filtering or firewalling should be used to protect hosts from attacks emanating from other subnets."
HP9000 Series 700/800 servers running HP-UX 10.10, 10.20, 11.00 and 11.11 are vulnerable, according to CERT. All supported versions of Solaris are vulnerable, including Solaris 2.5.1, 2.6, 7, 8 and 9, CERT said.
Ricardo Quesada, of New York-based Core Security Technologies, found the vulnerabilities while testing his company's penetration testing tool, Core Impact. "Ricardo was developing a module for a format string bug in the ToolTalk Database Server (rpc.ttdbserverd) and found these new ones," said Ivan Arce, Core Security's CTO.
Arce rates the flaws as a medium risk when balancing the pervasiveness of CDE ToolTalk, the severity of the vulnerabilities and how organizations use it. "I've failed to find an organization where the package (and CDE in general) is required in order to conduct normal activities," he said.
The fact that ToolTalk Database Server program is enabled by default in many of the commercial Unix flavors, however, means the vulnerabilities shouldn't be overlooked, Arce said.
Exploiting the vulnerabilities isn't particularly difficult either, Arce said. Executing a denial of service attack is harder, requiring "a relatively experienced developer," but the escalating systems privileges is easier, he said. "In any case, experience proves that once a working exploit has been developed by a technically savvy individual, the less technically 'apt' individuals are able to use it without further knowledge of what is does or how it works," he said.
The first vulnerability could allow remote attackers to overwrite memory locations with zeros, CERT said. They could then use certain techniques to delete any file that is accessible to the ToolTalk RPC database server. Potentially any file is vulnerable as the server often runs with root privileges. Deleting certain files could cause a denial of service. Also, the attackers possibly could execute arbitrary code on the server, CERT said.
By contrast, the second vulnerability has to be exploited by local attackers. They could potentially overwrite any file accessible to the ToolTalk RPC database server with data of their choice. Such action could cause a denial of service or bump up the attackers' system privileges.
CERT recommends users patch their systems when vendors make them available. In the interim, the group suggests users disable ToolTalk RPC data server by commenting out the relevant entries in /etc/inetd.conf and in /etc/rpc before restarting the inetd process.
Bill Bradford, operator of SunHelp.org, a non-profit Web site devoted to Sun computer systems, says patching the flaws should be a high priority just to be safe. "Patching any major flaw or security hole in the OS, including the graphical user environment, should be first and foremost in administrator's minds," he said.
Arce suggests users think twice about using CDE ToolTalk given its security history. "If CDE and ToolTalk is needed then a serious and complete audit should be done in order to assess the risk associated with its usage," Arce said. "Otherwise users are putting themselves at risk without knowing what might happen with the next CDE bug to be come."
Echoing those sentiments, Unix specialist Robson advised against using Windowing systems for any production servers. "In terms of Unix workstations, it is most likely a necessary evil but consideration should be given to using an open-source product for which code reviews can be undertaken," he said.