The US government funded-Computer Emergency Response Team Coordination Center (CERT/CC) has warned that it has received "credible reports" of a means of breaching Solaris systems.
The warning refers to a buffer overflow vulnerability that was first discovered in March 1999. The flaw lies in a library function used by the Common Desktop Environment (CDE) which could allow an attacker to take full control over the system, CERT/CC said.
CDE is a default user interface on Unix systems and is included in products from Sun Microsystems, IBM, Hewlett-Packard and Compaq, according to Art Manion, an Internet security analyst with CERT/CC.
The CDE Subprocess Control Service (dtspcd) is a network daemon that accepts requests from remote clients to execute commands and launch programs remotely. The service does not perform adequate input validation, as a result of which a malicious client could manipulate data sent and cause a buffer overflow.
CERT/CC advises administrators to check if a system is configured to run dtspcd by looking for the entries "dtspc 6112/tcp" in "/etc/services" and "dtspc stream tcp nowait root/usr/dt/bin/dtspcd /usr/dt/bin/dtspcd" in "/etc/inetd.conf".
Several Unix and Linux flavours are vulnerable, though most vendors have already issued patches to fix the problem. Any system that does not run dtspcd will not be affected.
Although information about the flaw in CDE has been available since 1999, CERT/CC issued its first warning on the matter in late 2001, Manion said. The recent advisory was issued after the security research group, The Honeynet Project, discovered that hackers are exploiting the bug.
Despite information about the bug being available since 1999, it's "entirely possible" that there are a significant number of CDE users who have not patched their systems, Manion said. He is not aware of any compromises as a result of the vulnerability buturged CDE users to apply the patch to block access from untrusted networks to the Subprocess Control Service and to monitor for suspicious activity.