Multi-vendor CDE dtspcd daemon buffer overflow

cde-dtspcd-bo (7396)

High Risk

Description:

The CDE Subprocess Control Server daemon (dtspcd) is vulnerable to a buffer overflow. By sending a specially-crafted CDE client request, a remote attacker can overflow a buffer in the connection negotiation routine within dtspcd and execute arbitrary commands on the system with superuser privileges.

The Subprocess Control Server daemon is enabled by default on all operating systems with CDE installed. This process is run by the root user and accepts remote connections by default.

Consequences:

Gain Privileges

Remedy:

For vulnerability detection:

Enable the following checks in the ISS Protection Platform:
CdeDtspcdBo

For Virtual Patch:

Enable the following checks in the ISS Protection Platform:
Dtspcd_Overflow

Block or restrict the following in the ISS Protection Platform as appropriate to the environment:
Port 6612

For Manual Protection:

For Caldera UnixWare 7 and OpenUNIX 8.0.0:
Apply the appropriate patch for your system, as listed in Caldera International, Inc. Security Advisory CSSA-2001-SCO.30. See References.

For HP-UX releases 10.10, 10.20, 10.24, 11.00, 11.04, and 11.11:
Download and install the latest replacement dtspcd files as listed in Hewlett-Packard Security Bulletin #00175 (HPSBUX0111-175). See References.

For Solaris 8, 7, 2.6, and 2.5.1:
Apply the appropriate patch for your system, as listed in Sun Microsystems, Inc. Security Bulletin #00214. See References.

For other distributions:
Contact your vendor for upgrade or patch information..

References:

• Caldera International, Inc. Security Advisory CSSA-2001-SCO.30: Open UNIX, UnixWare 7: DCE SPC library buffer overflow.
• CERT Advisory CA-2001-31: Buffer Overflow in CDE Subprocess Control Service.
• CERT Advisory CA-2002-01: Exploitation of Vulnerability in CDE Subprocess Control Service.
• CIAC Information Bulletin M-019: Multiple Vendor CDE dtpscd Process Buffer Overflow.
• Compaq SECURITY BULLETIN (SSRT-541): Tru64 UNIX CDE, NFS and NIS related Potential Security Vulnerabilities.
• Hewlett-Packard Company Security Bulletin HPSBUX0111-175: Sec. Vulnerability in dtspcd. (From SecurityFocus archive.)
• Internet Security Systems Security Alert #101: Multi-Vendor Buffer Overflow Vulnerability in CDE Subprocess Control Service.
• SGI Security Advisory 20011107-01-P: CDE vulnerabilities.
• SGI Security Advisory 20020302-01-A: Additional CDE and CDE ToolTalk Vulnerabilities.
• Sun Microsystems, Inc. Security Bulletin #00214: dtspcd.
• BID-3517: Multiple Vendor CDE dtspcd Buffer Overflow Vulnerability
• CVE-2001-0803: Buffer overflow in the client connection routine of libDtSvc.so.1 in CDE Subprocess Control Service (dtspcd) allows remote attackers to execute arbitrary commands.
• US-CERT VU#172583: Common Desktop Environment (CDE) Subprocess Control Service dtspcd contains buffer overflow

Platforms Affected:

• Compaq Tru64 4.0f
• Compaq Tru64 4.0g
• Compaq Tru64 5.0a
• Compaq Tru64 5.1
• Compaq Tru64 5.1a
• HP HP-UX 10.10
• HP HP-UX 10.20
• HP HP-UX 10.24
• HP HP-UX 11.00
• HP HP-UX 11.04
• HP HP-UX 11.11
• IBM AIX 4.3
• IBM AIX 5.1
• Open Group Common Desktop Environment (CDE)
• SCO Caldera OpenUnix 8.0.0
• SCO Caldera UnixWare 7
• SGI IRIX 6.5
• SGI IRIX 6.5 20
• SGI IRIX 6.5.1
• SGI IRIX 6.5.10
• SGI IRIX 6.5.10f
• SGI IRIX 6.5.10m
• SGI IRIX 6.5.11
• SGI IRIX 6.5.11f
• SGI IRIX 6.5.11m
• SGI IRIX 6.5.12
• SGI IRIX 6.5.12f
• SGI IRIX 6.5.12m
• SGI IRIX 6.5.13
• SGI IRIX 6.5.13f
• SGI IRIX 6.5.13m
• SGI IRIX 6.5.14
• SGI IRIX 6.5.14f
• SGI IRIX 6.5.14m
• SGI IRIX 6.5.15
• SGI IRIX 6.5.15f
• SGI IRIX 6.5.15m
• SGI IRIX 6.5.16
• SGI IRIX 6.5.16f
• SGI IRIX 6.5.16m
• SGI IRIX 6.5.17
• SGI IRIX 6.5.17f
• SGI IRIX 6.5.17m
• SGI IRIX 6.5.18
• SGI IRIX 6.5.18f
• SGI IRIX 6.5.18m
• SGI IRIX 6.5.19
• SGI IRIX 6.5.19f
• SGI IRIX 6.5.19m
• SGI IRIX 6.5.2
• SGI IRIX 6.5.20
• SGI IRIX 6.5.20f
• SGI IRIX 6.5.20m
• SGI IRIX 6.5.21
• SGI IRIX 6.5.21f
• SGI IRIX 6.5.21m
• SGI IRIX 6.5.22
• SGI IRIX 6.5.22m
• SGI IRIX 6.5.23
• SGI IRIX 6.5.23m
• SGI IRIX 6.5.24
• SGI IRIX 6.5.24m
• SGI IRIX 6.5.25
• SGI IRIX 6.5.26
• SGI IRIX 6.5.27
• SGI IRIX 6.5.28
• SGI IRIX 6.5.2f
• SGI IRIX 6.5.2m
• SGI IRIX 6.5.3
• SGI IRIX 6.5.3f
• SGI IRIX 6.5.3m
• SGI IRIX 6.5.4
• SGI IRIX 6.5.4f
• SGI IRIX 6.5.4m
• SGI IRIX 6.5.5
• SGI IRIX 6.5.5f
• SGI IRIX 6.5.5m
• SGI IRIX 6.5.6
• SGI IRIX 6.5.6f
• SGI IRIX 6.5.6m
• SGI IRIX 6.5.7
• SGI IRIX 6.5.7f
• SGI IRIX 6.5.7m
• SGI IRIX 6.5.8
• SGI IRIX 6.5.8f
• SGI IRIX 6.5.8m
• SGI IRIX 6.5.9
• SGI IRIX 6.5.9f
• SGI IRIX 6.5.9m
• Sun Solaris 2.5.1
• Sun Solaris 2.6
• Sun Solaris 7.0
• Sun Solaris 8

Reported:

Nov 12, 2001

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page