Gentoo FoundationGLSA-200407-05XFree86, X.org: XDM ignores requestPort setting
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.025 Low
EPSS
Percentile
90.1%
Background
The X Display Manager (XDM) is a program which provides a graphical login prompt to users on the console or on remote X terminals. It has largely been superseded by programs such as GDM and KDM.
Description
XDM will open TCP sockets for its chooser, even if the DisplayManager.requestPort setting is set to 0. Remote clients can use this port to connect to XDM and request a login window, thus allowing access to the system.
Impact
Authorized users may be able to login remotely to a machine running XDM, even if this option is disabled in XDM’s configuration. Please note that an attacker must have a preexisting account on the machine in order to exploit this vulnerability.
Workaround
There is no known workaround at this time. All users should upgrade to the latest available version of X.
Resolution
If you are using XFree86, you should run the following:
# emerge sync
# emerge -pv ">=x11-base/xfree-4.3.0-r6"
# emerge ">=x11-base/xfree-4.3.0-r6"
If you are using X.org’s X11 server, you should run the following:
# emerge sync
# emerge -pv ">=x11-base/xorg-x11-6.7.0-r1"
# emerge ">=x11-base/xorg-x11-6.7.0-r1"
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Gentoo | any | all | x11-base/xfree | <= 4.3.0-r5 | UNKNOWN |
| Gentoo | any | all | x11-base/xorg-x11 | <= 6.7.0 | UNKNOWN |
Related
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.025 Low
EPSS
Percentile
90.1%