SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Xserver Vendors:   Santa Cruz Operations
SCO OpenServer X Session Access Controls Do Not Permit Xauthority Controls for Some X Sessions
SecurityTracker Alert ID:  1010116
SecurityTracker URL:  http://securitytracker.com/id/1010116
CVE Reference:   CVE-2004-0390   (Links to External Site)
Date:  May 11 2004
Impact:   User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in SCO OpenServer in the processing of X sessions. Sessions that are not started by scologin use potentially less secure host access control methods.

SCO reported that the X authorization protocol (Xauthority) is not available to sessions that are not started by scologin, limiting access controls to host-based granularity.

The vendor credits Kevin R Finisterre with reporting this security issue.

Impact:   A remote user on an authorized host may be able to gain access to an X session.
Solution:   SCO has issued a fix that extends Xauthority controls to startx and xinit.

OpenServer 5.0.5, OpenServer 5.0.6, OpenServer 5.0.7:

Location of Fixed Binaries

ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2004.5

Verification

MD5 (VOL.000.000) = 628f0f07d63bc12978fff3dc93d44a40

Installing Fixed Binaries

Upgrade the affected binaries with the following sequence:

1) Download the VOL* files to a directory

2) Run the custom command, specify then install from media images, and specify the directory as the location of the images.

Set up a .Xauthority file (see the xauth(X) man page).

Quit & restart the X server.

Vendor URL:  www.sco.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:  UNIX (Open UNIX-SCO)
Underlying OS Comments:  OpenServer 5.0.5, 5.0.6, 5.0.7

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] UPDATED OpenServer 5.0.5 OpenServer 5.0.6 OpenServer 5.0.7 : X sessions which are not started by scologin



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



______________________________________________________________________________

			SCO Security Advisory

Subject:		OpenServer 5.0.5 OpenServer 5.0.6 OpenServer 5.0.7 : X sessions which are not started by scologin cannot use the X authorization
 protocol
Advisory number: 	SCOSA-2004.5
Issue date: 		2004 April 07
Cross reference: 	sr862325 fz520452 erg712002 CAN-2004-0390
______________________________________________________________________________


1. Problem Description

	As noted in the Xsecurity(X) man page, OpenServer 5 provides
	multiple X display access control mechanisms. 

	The least secure is the Host Access method, where any 
	client on a host in the host access control list (which 
	is managed by the xhost command) is allowed access to 
	the X server. 

	More secure access methods are provided using the X 
	authorization protocol (Xauthority). Currently, OpenServer 5 
	supports the X authorization protocol only for X sessions 
	which are started by scologin. 

	This supplement provides support for the X authorization 
	protocol for X sessions which are not started by scologin 
	(e.g., sessions which are started via startx).

	In order to prevent unauthorized access to your system, do not 
	use the xhost command to grant access to your X server.  Instead, 
	it is recommended that you use the access provided by the 
	.Xauthority file.  

	With this supplement applied, scologin, startx, and xinit can all 
	be used to start the X server using the MIT-MAGIC-COOKIE-1 access 	
	control system as described in the Xsecurity(X) man page.  
	If the X server is started directly (by running X or Xsco), 
	Xauthority-style access control will not be enabled.

	The Common Vulnerabilities and Exposures project (cve.mitre.org)
        has assigned the name CAN-2004-0390 to this issue. 

2. Vulnerable Supported Versions

	System				Binaries
	----------------------------------------------------------------------
	OpenServer 5.0.5		X display system 	
	OpenServer 5.0.6 		X display system
	OpenServer 5.0.7		X display system

3. Solution

	The proper solution is to install the latest packages 
	and enable Xauthority.


4. OpenServer 5.0.5, OpenServer 5.0.6, OpenServer 5.0.7

	4.1 Location of Fixed Binaries

	ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2004.5

	4.2 Verification

	MD5 (VOL.000.000) = 628f0f07d63bc12978fff3dc93d44a40

	md5 is available for download from
		ftp://ftp.sco.com/pub/security/tools


	4.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following sequence:

	1) Download the VOL* files to a directory

	2) Run the custom command, specify then install from media
	images, and specify the directory as the location of
	the images.

	4.4 Set up a .Xauthority file (see the xauth(X) man page).

	4.5 Quit & restart the X server.

5. References

	Specific references for this advisory:
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0390

	SCO security resources:
		http://www.sco.com/support/security/index.html

	SCO security advisories via email
		http://www.sco.com/support/forums/security.html

	This security fix closes SCO incidents sr862325 fz520452
	erg712002.


6. Disclaimer

	SCO is not responsible for the misuse of any of the information
	we provide on this website and/or through our security
	advisories. Our advisories are a service to our customers
	intended to promote secure installation and use of SCO
	products.


7. Acknowledgments

	SCO would like to thank Kevin R Finisterre

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (SCO/UNIX_SVR5)

iD8DBQFAoB0HaqoBO7ipriERAg7xAKCI5A+YHtpM5PLm+VYlKu7R14+U2wCffk/8
Iuf+dACi59/YfKVor4G1Zu0=
=65Jx
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC