Uninitialized data in endianness conversion in the XEvent handling of the X.Org X Server before 2017-06-19 allowed authenticated malicious users to access potentially privileged data from the X server.

According to the versions of the xorg-x11-server packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found in xorg-x11-server before 1.20.3. An     incorrect permission check for -modulepath and -logfile     options when starting Xorg. X server allows     unprivileged users with the ability to log in to the     system via physical console to escalate their     privileges and run arbitrary code under root     privileges.(CVE-2018-14665)

  - In the X.Org X server before 2017-06-19, a user     authenticated to an X Session could crash or execute     code in the context of the X Server by exploiting a     stack overflow in the endianness conversion of X     Events.(CVE-2017-10971)

  - In X.Org Server (aka xserver and xorg-server) before     1.19.4, an attacker authenticated to an X server with     the X shared memory extension enabled can cause aborts     of the X server or replace shared memory segments of     other X clients in the same session.(CVE-2017-13721)

  - It was found that xorg-x11-server before 1.19.0     including uses memcmp() to check the received MIT     cookie against a series of valid cookies. If the cookie     is correct, it is allowed to attach to the Xorg     session. Since most memcmp() implementations return     after an invalid byte is seen, this causes a time     difference between a valid and invalid byte, which     could allow an efficient brute force     attack.(CVE-2017-2624)

  - Uninitialized data in endianness conversion in the     XEvent handling of the X.Org X Server before 2017-06-19     allowed authenticated malicious users to access     potentially privileged data from the X     server.(CVE-2017-10972)

  - xorg-x11-server before 1.19.5 had wrong extra length     check in ProcXIChangeHierarchy function allowing     malicious X client to cause X server to crash or     possibly execute arbitrary code.(CVE-2017-12178)

  - xorg-x11-server before 1.19.5 was missing extra length     validation in ProcEstablishConnection function allowing     malicious X client to cause X server to crash or     possibly execute arbitrary code.(CVE-2017-12176)

  - xorg-x11-server before 1.19.5 was missing length     validation in MIT-SCREEN-SAVER extension allowing     malicious X client to cause X server to crash or     possibly execute arbitrary code.(CVE-2017-12185)

  - xorg-x11-server before 1.19.5 was missing length     validation in RENDER extension allowing malicious X     client to cause X server to crash or possibly execute     arbitrary code.(CVE-2017-12187)

  - xorg-x11-server before 1.19.5 was missing length     validation in XFIXES extension allowing malicious X     client to cause X server to crash or possibly execute     arbitrary code.(CVE-2017-12183)

  - xorg-x11-server before 1.19.5 was missing length     validation in XFree86 DGA extension allowing malicious     X client to cause X server to crash or possibly execute     arbitrary code.(CVE-2017-12181)

  - xorg-x11-server before 1.19.5 was missing length     validation in XFree86 DRI extension allowing malicious     X client to cause X server to crash or possibly execute     arbitrary code.(CVE-2017-12182)

  - xorg-x11-server before 1.19.5 was missing length     validation in XFree86 VidModeExtension allowing     malicious X client to cause X server to crash or     possibly execute arbitrary code.(CVE-2017-12180)

  - xorg-x11-server before 1.19.5 was missing length     validation in XINERAMA extension allowing malicious X     client to cause X server to crash or possibly execute     arbitrary code.(CVE-2017-12184)

  - xorg-x11-server before 1.19.5 was missing length     validation in X-Resource extension allowing malicious X     client to cause X server to crash or possibly execute     arbitrary code.(CVE-2017-12186)

  - xorg-x11-server before 1.19.5 was vulnerable to integer     overflow in (S)ProcXIBarrierReleasePointer functions     allowing malicious X client to cause X server to crash     or possibly execute arbitrary code.(CVE-2017-12179)

  - xorg-x11-server before 1.19.5 was vulnerable to integer     overflow in ProcDbeGetVisualInfo function allowing     malicious X client to cause X server to crash or     possibly execute arbitrary code.(CVE-2017-12177)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the xorg-x11-server packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - xorg-x11-server before 1.19.5 was vulnerable to integer     overflow in ProcDbeGetVisualInfo function allowing     malicious X client to cause X server to crash or     possibly execute arbitrary code.(CVE-2017-12177)

  - xorg-x11-server before 1.19.5 had wrong extra length     check in ProcXIChangeHierarchy function allowing     malicious X client to cause X server to crash or     possibly execute arbitrary code.(CVE-2017-12178)

  - xorg-x11-server before 1.19.5 was vulnerable to integer     overflow in (S)ProcXIBarrierReleasePointer functions     allowing malicious X client to cause X server to crash     or possibly execute arbitrary code.(CVE-2017-12179)

  - xorg-x11-server before 1.19.5 was missing length     validation in XFree86 VidModeExtension allowing     malicious X client to cause X server to crash or     possibly execute arbitrary code.(CVE-2017-12180)

  - xorg-x11-server before 1.19.5 was missing length     validation in XFree86 DGA extension allowing malicious     X client to cause X server to crash or possibly execute     arbitrary code.(CVE-2017-12181)

  - xorg-x11-server before 1.19.5 was missing length     validation in XFree86 DRI extension allowing malicious     X client to cause X server to crash or possibly execute     arbitrary code.(CVE-2017-12182)

  - xorg-x11-server before 1.19.5 was missing length     validation in XFIXES extension allowing malicious X     client to cause X server to crash or possibly execute     arbitrary code.(CVE-2017-12183)

  - xorg-x11-server before 1.19.5 was missing length     validation in XINERAMA extension allowing malicious X     client to cause X server to crash or possibly execute     arbitrary code.(CVE-2017-12184)

  - xorg-x11-server before 1.19.5 was missing length     validation in MIT-SCREEN-SAVER extension allowing     malicious X client to cause X server to crash or     possibly execute arbitrary code.(CVE-2017-12185)

  - xorg-x11-server before 1.19.5 was missing length     validation in X-Resource extension allowing malicious X     client to cause X server to crash or possibly execute     arbitrary code.(CVE-2017-12186)

  - xorg-x11-server before 1.19.5 was missing length     validation in RENDER extension allowing malicious X     client to cause X server to crash or possibly execute     arbitrary code.(CVE-2017-12187)

  - In X.Org Server (aka xserver and xorg-server) before     1.19.4, an attacker authenticated to an X server with     the X shared memory extension enabled can cause aborts     of the X server or replace shared memory segments of     other X clients in the same session.(CVE-2017-13721)

  - It was found that xorg-x11-server before 1.19.0     including uses memcmp() to check the received MIT     cookie against a series of valid cookies. If the cookie     is correct, it is allowed to attach to the Xorg     session. Since most memcmp() implementations return     after an invalid byte is seen, this causes a time     difference between a valid and invalid byte, which     could allow an efficient brute force     attack.(CVE-2017-2624)

  - A flaw was found in xorg-x11-server before 1.20.3. An     incorrect permission check for -modulepath and -logfile     options when starting Xorg. X server allows     unprivileged users with the ability to log in to the     system via physical console to escalate their     privileges and run arbitrary code under root     privileges.(CVE-2018-14665)

  - In the X.Org X server before 2017-06-19, a user     authenticated to an X Session could crash or execute     code in the context of the X Server by exploiting a     stack overflow in the endianness conversion of X     Events.(CVE-2017-10971)

  - Uninitialized data in endianness conversion in the     XEvent handling of the X.Org X Server before 2017-06-19     allowed authenticated malicious users to access     potentially privileged data from the X     server.(CVE-2017-10972)

  - xorg-x11-server before 1.19.5 was missing extra length     validation in ProcEstablishConnection function allowing     malicious X client to cause X server to crash or     possibly execute arbitrary code.(CVE-2017-12176)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

xorg-server developers reports :

In the X.Org X server before 2017-06-19, a user authenticated to an X Session could crash or execute code in the context of the X Server by exploiting a stack overflow in the endianness conversion of X Events.

Uninitialized data in endianness conversion in the XEvent handling of the X.Org X Server before 2017-06-19 allowed authenticated malicious users to access potentially privileged data from the X server.

New xorg-server packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix security issues.

It was discovered that the X.Org X server incorrectly handled endianness conversion of certain X events. An attacker able to connect to an X server, either locally or remotely, could use this issue to crash the server, or possibly execute arbitrary code as an administrator. (CVE-2017-10971)

It was discovered that the X.Org X server incorrectly handled endianness conversion of certain X events. An attacker able to connect to an X server, either locally or remotely, could use this issue to possibly obtain sensitive information. (CVE-2017-10972)

Eric Sesterhenn discovered that the X.Org X server incorrectly compared MIT cookies. An attacker could possibly use this issue to perform a timing attack and recover the MIT cookie. (CVE-2017-2624).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xorg-x11-server fixes the following issues :

  - CVE-2017-10971: Fix endianess handling of GenericEvent     to prevent a stack overflow by clients. (bnc#1035283)

  - Make sure the type of all events to be sent by     ProcXSendExtensionEvent are in the allowed range.

  - CVE-2017-10972: Initialize the xEvent eventT with zeros     to avoid information leakage.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xorg-x11-server provides the following fixes :

  - CVE-2017-10971: Fix endianess handling of GenericEvent     to prevent a stack overflow by clients. (bnc#1035283)

  - Make sure the type of all events to be sent by     ProcXSendExtensionEvent are in the allowed range.

  - CVE-2017-10972: Initialize the xEvent eventT with zeros     to avoid information leakage.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xorg-x11-server fixes the following issues :

  - CVE-2017-10971: Fix endianess handling of GenericEvent     to prevent a stack overflow by clients. (bnc#1035283)

  - Make sure the type of all events to be sent by     ProcXSendExtensionEvent are in the allowed range.

  - CVE-2017-10972: Initialize the xEvent eventT with zeros     to avoid information leakage.

  - Improve retrieval of entropy for generating random     authentication cookies (boo#1025084)

CVE-2017-10971

        A user authenticated to an X Session could crash or execute code in the context of the X Server by exploiting a stack overflow in the endianness conversion of X Events.

CVE-2017-10972

        Uninitialized data in endianness conversion in the XEvent handling of the         X.Org X Server allowed authenticated malicious users to access potentially privileged data from the X server. 

For Debian 7 'Wheezy', these problems have been fixed in version 2:1.12.4-6+deb7u7.

We recommend that you upgrade your xorg-server packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Two security issues have been discovered in the X.org X server, which may lead to privilege escalation or an information leak.

ID	Name	Product	Family	Severity
132218	EulerOS 2.0 SP3 : xorg-x11-server (EulerOS-SA-2019-2683)	Nessus	Huawei Local Security Checks	critical
131913	EulerOS 2.0 SP2 : xorg-x11-server (EulerOS-SA-2019-2421)	Nessus	Huawei Local Security Checks	critical
103909	FreeBSD : xorg-server -- Multiple Issues (ab881a74-c016-4e6d-9f7d-68c8e7cedafb)	Nessus	FreeBSD Local Security Checks	high
102501	Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : xorg-server (SSA:2017-227-01)	Nessus	Slackware Local Security Checks	high
101949	Ubuntu 14.04 LTS / 16.04 LTS : X.Org X server vulnerabilities (USN-3362-1)	Nessus	Ubuntu Local Security Checks	high
101765	SUSE SLES12 Security Update : xorg-x11-server (SUSE-SU-2017:1861-1)	Nessus	SuSE Local Security Checks	high
101764	SUSE SLED12 / SLES12 Security Update : xorg-x11-server (SUSE-SU-2017:1860-1)	Nessus	SuSE Local Security Checks	high
101763	SUSE SLES12 Security Update : xorg-x11-server (SUSE-SU-2017:1859-1)	Nessus	SuSE Local Security Checks	high
101760	openSUSE Security Update : xorg-x11-server (openSUSE-2017-825)	Nessus	SuSE Local Security Checks	high
101552	Debian DLA-1026-1 : xorg-server security update	Nessus	Debian Local Security Checks	high
101520	SUSE SLES11 Security Update : xorg-x11-server (SUSE-SU-2017:1850-1)	Nessus	SuSE Local Security Checks	high
101323	Debian DSA-3905-1 : xorg-server - security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2017-10972

medium

Tenable Plugins

critical

critical

high

high

high

high

high

high

high

high

high

high