ISS: Security flaw affects six flavors of Unix

Internet Security Systems (ISS) is warning of a serious vulnerability that could leave Unix systems from Sun Microsystems Inc., Hewlett-Packard Co., IBM Corp., Silicon Graphics Inc. (SGI), Compaq Computer Corp. and Caldera Systems Inc. open to attack.

The flaw, a buffer overflow vulnerability discovered in the Unix graphical interface called Common Desktop Environment (CDE), could allow savvy remote attackers to gain complete root control over the affected systems.

The Unix vulnerability was identified by ISS in its labs about a month ago, and ISS contacted the vendors at that time to work with them on the problem. Each vendor is working on a software patch to fix it, but when Caldera became the first to release its patch, ISS decided it was time to notify the public about the flaw. CERT has also just issued an advisory about the problem.

“This vulnerability affecting CDE is on by default in most Unix servers and desktops,” says Dan Ingevaldson, ISS team leader for the X-Force, the ISS division that works on uncovering security vulnerabilities and responding to them in a speedy fashion. “The buffer-overflow vulnerability we identified affects one daemon component in DCE called ‘dtspcd,’ the sub-processor control service.”

By executing a string of random commands to override the buffer, an attacker could take advantage of the Unix flaw during the connection negotiation routine in dtspcd, thereby gaining control of the machine.

So far, no known hacker tool has been posted to exploit this attack, and industry security experts familiar with the problem don’t plan to publish the precise attack sequence.

But the vulnerability is serious enough that ISS is urging companies with Unix systems from Sun, HP, IBM, SGI, Compaq and Caldera to check with their vendors about patch availability. ISS also suggests that network administrators may want to disable or limit access to the CDE service until patches are available.

ISS, which markets its own vulnerability-detection software called RealSecure Server Sensor, notes that the software can be used to block attempts at accessing the dtspcd port. A separate product from ISS, the RealSecure Network Sensor, can be configured for port 6112 to detect potential attacks.

ISS’ Ingevaldson noted it was difficult to coordinate a group response from the six vendors to deal with the Unix flaw.

“We weren’t going to announce this until mid-December, giving the vendors 45 days to work on the problem,” Ingevaldson acknowledged. “But this has been difficult to resolve, given the need for regression testing to make sure things work right.”

Since Caldera was the first to break silence on the subject, ISS determined it was appropriate to offer its general analysis on the Unix CDE flaw so that corporations and government agencies can take appropriate steps to respond to what it deems an important security issue.