A vulnerability in the Common Desktop Environment (CDE) graphical user interface for the UNIX and Linux operating systems is being actively exploited in attacks against Solaris systems, the Computer Emergency Response Team Coordination Center (CERT/CC) warned Monday.
The vulnerability, discovered in November, consists of a remotely exploitable buffer overflow in a library function used by the CDE Subprocess Control Service (dtspcd), a network daemon that accepts requests from clients to execute commands and launch applications remotely. CERT said that on systems running CDE dtspcd is spawned by the Internet services daemon (typically inetd or xinetd) in response to a CDE client request. dtspcd is typically configured to run on port 6112/tcp with root privileges.
During client negotiation, dtspcd accepts a length value and subsequent data from the client with performing adequate input validation, CERT said. Using this flaw, an attacker can manipulate data sent to dtspcd, causing a buffer overflow and potentially gaining the ability to execute code with root privileges.
Many UNIX systems ship with CDE installed and enabled by default.
CERT said it has received reports of scanning for dtspcd (6112/tcp) since the advisory on the vulnerability was released in November, and now, using network traces provided by The Honeynet Project, CERT said it has confirmed that the vulnerability is being actively exploited.
As a stopgap until patches are available, CERT suggested limiting or blocking access to the Subprocess Control Service from untrusted networks by using a firewall or other packet-filtering technology. Additionally, CERT said it may be possible to use a TCP wrapper to provide improved access control and logging functionality for dtspcd connections. CERT also suggested disabling dtspcd by commenting out the appropriate entry in /etc/inetd.conf.
CERT also noted that several Internet-enabled games may use 6112/tcp as part of a legitimate function.