CERT: Exploit circulating for CDE hole in Solaris

Hackers are actively exploiting a known vulnerability in Sun Microsystems Inc.’s Solaris version of the Unix operating system, security experts said Jan. 14, urging administrators to check if their system is vulnerable.

The U.S.-government funded Computer Emergency Response Team/Coordination Center (CERT/CC) at Carnegie Mellon University in Pittsburgh said in an advisory that it had received “credible reports” of an exploit for Solaris systems. An exploit is a software tool that can be used to break into computer systems and that is often used by hackers.

The exploit takes advantage of a buffer overflow vulnerability that was first discovered in March 1999. The flaw in a library function used by the CDE (Common Desktop Environment) could allow an attacker to take full control over the system, CERT/CC said. CDE is a graphical user interface that is typically installed by default on Unix systems.

CDE is “a fairly widespread product on Unix platforms” and is included in products from Sun Microsystems Inc., IBM Corp., Hewlett-Packard Co. and Compaq Computer Corp., according to Art Manion, an Internet security analyst with CERT/CC.

The CDE Subprocess Control Service (dtspcd) is a network daemon that accepts requests from remote clients to execute commands and launch programs remotely. The service does not perform adequate input validation, as a result of which a malicious client could manipulate data sent and cause a buffer overflow, according to CERT/CC.

CERT/CC advises administrators to check if a system is configured to run dtspcd by looking for the entries “dtspc 6112/tcp” in “/etc/services” and “dtspc stream tcp nowait root /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd” in “/etc/inetd.conf”.

Many Unix and Linux flavours are vulnerable and many vendors have long issued patches to fix the problem. Any system that does not run dtspcd is not vulnerable to this problem.

Though information about the flaw in CDE has been available since 1999, CERT/CC issued its first advisory on the matter late last year, Manion said. Tuesday’s advisory was the result of evidence, obtained from the online computer security research group the Honeynet Project, that the bug is being attacked, he said.

Despite information about the bug being available for so long, it’s “entirely possible” that there are a significant number of CDE users who have not patched their systems, Manion said. He is not aware of any compromises as a result of the vulnerability, but he urged CDE users to apply the patch, to block access from untrusted networks to the Subprocess Control Service and to monitor for activity related to the service.

The CERT/CC advisory can be found at http://www.cert.org/advisories/CA-2002-01.html

CERT/CC, in Pittsburgh, can be contacted at http://www.cert.org/.