CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
EPSS
Percentile
30.7%
A locally exploitable buffer overflow exists in the Low BandWidth X proxy.
The Low BandWidth X proxy is a component of XFree86 (a freely redistributable open-source implementation of the X Window System). The Low BandWidth X proxy allows applications to transparently take advantage of the Low Bandwidth extension to X (LBX). LBX allows one to make more efficient use of low bandwidth high latency communication links. Quoting from LBX technical specifications:
Low Bandwidth X (LBX) is a network-transparent protocol for running X Window System applications over transport channels whose bandwidth and latency are significantly worse than that used in local area networks. It combines a variety of caching and reencoding techniques to reduce the volume of data that must be sent over the wire. It can be used with existing clients by placing a proxy between the clients and server, so that the low bandwidth/high latency communication occurs between the proxy and server.
The vulnerability manifests itself in the following function:
lbxproxy/di/wire.c
:ConnectToServer
A local attacker can execute arbitrary code with root privileges.
Apply a vendor patch.
188507
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: April 03, 2002 Updated: August 19, 2002
Affected
HP has released patches to correct the buffer overflow in lbxproxy. Since this is not a security issue on HP-UX we do not plan to issue a security bulletin.
These patches corrected the lbxproxy overflow:
10.20 PHSS_25293 :Xserver:
11.00 PHSS_26566 :Xserver:
11.11 PHSS_26577 :Xserver:
11.04 PHSS_27542 :VVOS:Xserver:
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23188507 Feedback>).
Updated: August 19, 2002
Affected
<http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44842>
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23188507 Feedback>).
Notified: April 03, 2002 Updated: April 04, 2002
Not Affected
lbxproxy(1) is not shipped with Mac OS X or Mac OS X Server.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23188507 Feedback>).
Notified: April 05, 2002 Updated: April 11, 2002
Not Affected
Cray, Inc. will not be affected by VU#188507 because lbxproxy is not included in Unicos or Unicos/mk.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23188507 Feedback>).
Notified: April 03, 2002 Updated: April 04, 2002
Not Affected
Fujitsu’s UXP/V operating system is not affected because it does not support the Low BandWidth X proxy functionality.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23188507 Feedback>).
Notified: April 03, 2002 Updated: April 05, 2002
Not Affected
IBM’s AIX operating system, versions 4.3.x and 5.1, is not susceptible to this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23188507 Feedback>).
Notified: April 03, 2002 Updated: June 12, 2002
Not Affected
This issue does not apply to Lotus products.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23188507 Feedback>).
Notified: April 03, 2002 Updated: April 05, 2002
Not Affected
[Server Products]
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23188507 Feedback>).
Notified: April 03, 2002 Updated: April 04, 2002
Not Affected
Not exploitable.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23188507 Feedback>).
Notified: April 03, 2002 Updated: April 11, 2002
Not Affected
lbxproxy is not sgid root in IRIX, and IRIX doesn’t appear to be vulnerable.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23188507 Feedback>).
Notified: April 15, 2002 Updated: April 19, 2002
Not Affected
XFree86 doesn’t install lbxproxy either set-uid or set-gid, so with a standard XFree86 build/install it isn’t possible to exploit this.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23188507 Feedback>).
Notified: April 03, 2002 Updated: April 03, 2002
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23188507 Feedback>).
Notified: April 03, 2002 Updated: April 04, 2002
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23188507 Feedback>).
Notified: April 03, 2002 Updated: April 04, 2002
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23188507 Feedback>).
Notified: April 03, 2002 Updated: April 04, 2002
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23188507 Feedback>).
Notified: April 03, 2002 Updated: April 04, 2002
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23188507 Feedback>).
Notified: April 03, 2002 Updated: April 04, 2002
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23188507 Feedback>).
Notified: April 03, 2002 Updated: April 04, 2002
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23188507 Feedback>).
Notified: April 03, 2002 Updated: April 04, 2002
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23188507 Feedback>).
Notified: April 03, 2002 Updated: April 04, 2002
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23188507 Feedback>).
Notified: April 03, 2002 Updated: April 04, 2002
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23188507 Feedback>).
Notified: April 03, 2002 Updated: April 04, 2002
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23188507 Feedback>).
Notified: April 03, 2002 Updated: April 04, 2002
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23188507 Feedback>).
Notified: April 03, 2002 Updated: April 04, 2002
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23188507 Feedback>).
Notified: April 03, 2002 Updated: April 04, 2002
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23188507 Feedback>).
Notified: April 03, 2002 Updated: April 03, 2002
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23188507 Feedback>).
Notified: April 03, 2002 Updated: April 04, 2002
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23188507 Feedback>).
Notified: April 03, 2002 Updated: April 04, 2002
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23188507 Feedback>).
Notified: April 03, 2002 Updated: April 04, 2002
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23188507 Feedback>).
Notified: April 03, 2002 Updated: April 04, 2002
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23188507 Feedback>).
View all 30 vendors __View less vendors __
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
The CERT/CC thanks Sun Microsystems for reporting this vulnerability to us.
This document was written by Ian A. Finlay.
CVE IDs: | CVE-2002-0090 |
---|---|
Severity Metric: | 7.50 Date Public: |