Advisories issued by Internet Security Systems (ISS) and the Computer Emergency Response Team/Co-ordination Centre (Cert) warn of a buffer overflow flaw in Sun's implementation of the X Windows Font Service (XFS), which serves font files to clients and runs by default on all versions of Solaris.
By formulating a specific XFS query, remote attackers can either crash the service or run arbitrary code with the privileges of the "nobody user". This privilege level is limited and similar to a normal user. However, after gaining access an attacker could use privilege escalation flaws to attain root status, the highest privilege level, according to ISS.
The XFS service (fs.auto) uses a high Transmission Control Protocol port, which mitigates the risk as these ports are usually blocked by firewalls, preventing an attack from the public Internet, said Gunter Ollmann, manager of X-Force Security Assessment Services at ISS.
"Normally this service would not be available over the Internet because it would be protected by a firewall, but internally this service is commonly available," he added.
The vulnerable service exposed on a corporate network makes an attack from the inside possible, but can also facilitate an attacker on the outside, Ollmann noted.
Should a host that is accessible from the Internet be compromised, an attacker could cascade his attacks and gain access to a Solaris machine by exploiting the XFS vulnerability.
Sun told ISS and Cert that it is working on a software update. Meanwhile, ISS advises users to disable XFS, unless it is explicitly required, and investigate firewall settings.
The ISS X-Force advisory is at:
The Cert/CC advisory is at: