XDM in XFree86 opens a chooserFd TCP socket even when DisplayManager.requestPort is 0, which could allow remote attackers to connect to the port, in violation of the intended restrictions.

When the IPv6 code was added to xdm a critical test to disable xdmcp was accidentally removed. This caused xdm to create the chooser socket regardless if DisplayManager.requestPort was disabled in xdm-config or not.

Updated XFree86 packages that fix several security flaws in libXpm, as well as other bugs, are now available for Red Hat Enterprise Linux 3.

XFree86 is an open source implementation of the X Window System. It provides the basic low level functionality which full fledged graphical user interfaces (GUIs) such as GNOME and KDE are designed upon.

During a source code audit, Chris Evans discovered several stack overflow flaws and an integer overflow flaw in the X.Org libXpm library used to decode XPM (X PixMap) images. An attacker could create a carefully crafted XPM file which would cause an application to crash or potentially execute arbitrary code if opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0687, CVE-2004-0688, and CVE-2004-0692 to these issues.

A flaw was found in the X Display Manager (XDM). XDM is shipped with Red Hat Enterprise Linux, but is not used by default. XDM opened a chooserFd TCP socket even if the DisplayManager.requestPort parameter was set to 0. This allowed authorized users to access a machine remotely via X, even if the administrator had configured XDM to refuse such connections. Although XFree86 4.3.0 was not vulnerable to this issue, Red Hat Enterprise Linux 3 contained a backported patch which introduced this flaw. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0419 to this issue.

Users are advised to upgrade to these erratum packages, which contain backported security patches to correct these and a number of other issues.

The remote host is affected by the vulnerability described in GLSA-200407-05 (XFree86, X.org: XDM ignores requestPort setting)

    XDM will open TCP sockets for its chooser, even if the     DisplayManager.requestPort setting is set to 0. Remote clients can use this     port to connect to XDM and request a login window, thus allowing access to     the system.
  Impact :

    Authorized users may be able to login remotely to a machine running XDM,     even if this option is disabled in XDM's configuration. Please note that an     attacker must have a preexisting account on the machine in order to exploit     this vulnerability.
  Workaround :

    There is no known workaround at this time. All users should upgrade to the     latest available version of X.

Steve Rumble discovered XDM in XFree86 opens a chooserFd TCP socket even when DisplayManager.requestPort is 0, which could allow remote attackers to connect to the port, in violation of the intended restrictions.

The updated packages are patched to correct the problem.

ID	Name	Product	Family	Severity
38133	FreeBSD : XFree86 opens a chooserFd TCP socket even when DisplayManager.requestPort is 0 (ff00f2ce-c54c-11d8-b708-00061bc2ad93)	Nessus	FreeBSD Local Security Checks	high
15426	RHEL 3 : XFree86 (RHSA-2004:478)	Nessus	Red Hat Local Security Checks	high
14538	GLSA-200407-05 : XFree86, X.org: XDM ignores requestPort setting	Nessus	Gentoo Local Security Checks	high
14171	Mandrake Linux Security Advisory : XFree86 (MDKSA-2004:073)	Nessus	Mandriva Local Security Checks	high

Detections

Analytics

CVE-2004-0419

critical

Tenable Plugins

high

high

high

high