Sun Confirms Multiple Vulnerabilities Affecting Solaris

Sun Microsystems is warning users about a remote code execution vulnerability in Sun Solaris and is recommending that users work around the issue.

Alan Coopersmith, a member of the X Window System engineering team at Sun, confirmed in his blog reports of X font server vulnerabilities. He noted that the bugs not only affect Solaris, but are exposed to the network by default in some Solaris installs.

Early in October, researchers at iDefense disclosed that they had discovered multiple vulnerabilities in the X font server. The X Window System, also known as X11, is a graphical windowing system used on Unix-like systems, according to iDefense. The X Window System font server (xfs) is used to render fonts for the X server.

"Remote exploitation of multiple vulnerabilities in X.Org Foundation's X font server, as included in various vendors' operating system distributions, could allow an attacker to execute arbitrary code," iDefense reported in an online advisory. "An integer overflow vulnerability exists within the handlers for the QueryXBitmaps and QueryXExtents protocol requests. Both requests result in a call to the build_range() function. This function takes a 32-bit integer from the request, and uses it in an arithmetic operation that calculates the size of a dynamic buffer. This calculation can overflow, which leads to an improperly sized memory allocation. This results in a heap overflow."

Coopersmith recommended that, until a patch comes out, users should turn off the X font server if they don't need it. He added that Sun developers are working on an official alert and patches but did not say when any of them would be ready.

He also noted that not all versions of Solaris are affected.

It's only older installs that are vulnerable by default, according to Coopersmith. "Solaris versions up through Solaris 10 6/06 run xfs by default from 'inetd' listening to the network," he wrote. "Solaris 10 11/06 and later Solaris 10 releases ask you at install time if you want your network services to default to being open or closed. Solaris Nevada/Express just closes them all by default and requires you to turn back on the ones you want."

He also gave some pointers for how to turn off the X font server. They can be found at this Web site.