Problem solve Get help with specific problems with your technologies, process and projects.

Vulnerability of Xvfb on Sun Solaris

I'm using Oracle 9IAS on a Sun Solaris box for an internal application. The original requirement was to have an active X-window/server session on a workstation (for monitoring purposes). I decided against that solution, and went with Xvfb/Openlook scenario instead.

I cannot find any useful vulnerability information with Xvfb on a Sun Solaris box. Any suggestions or comments or information that I could use in making an official determination?

Xvfb is a virtual frame buffer for X windows, as I'm sure you know.

One uses it on a headless workstation so that an X application can draw into a piece of memory and not whine that there is no display on a given workstation.

I know of no security problems with Xvfb myself -- remember, it's nothing more than a piece of virtual memory pretending to be a video display card. There's not a lot to go wrong.

Now having said that, X has its own set of security issues. A decade ago, these were a much bigger deal than they are now. Standard installations of X lock down things pretty tightly. But those are things you'd have to worry about no matter what.

A search of Bugtraq for xvfb turns up two references to X11 cookie hijack problems (dating from 1998) and an XFree86 3.1.2 problem from 1996. That's a rather clean bill of health.

This was last published in April 2002

Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.