Sun denies Unix flaw

Vendors alerted while Sun shies away

vnunet.com, 20 Nov 2001

A number of Unix vendors have been alerted to a security flaw, but Sun Microsystems is refusing to acknowledge that any problem exists.

Six vendors, including IBM, Hewlett-Packard and Sun, have been alerted to a vulnerability that ships with several Unix systems, which could allow a malicious attacker to take control of an affected system.

Internet Security Systems (ISS) identified the Unix vulnerability about a month ago, and the company warned that the serious weakness could be found in six Unix vendors' systems. ISS and CERT (Computer Emergency Response Team) issued an advisory about the problem.

While Caldera, Compaq and IBM said they had a patch for the problem, HP disagreed on the versions of its Unix flavour that needed the patch.

Sun said there wasn't a problem at all but it would investigate further, and SGI said it had acknowledged the CDE vulnerabilities and was currently investigating.

The affected software includes several versions of HP's HP-UX, IBM's AIX, Sun's Solaris, Caldera OpenUnix and UnixWare, and Compaq's Tru64 Unix.

"This vulnerability affecting CDE is, by default, on most Unix servers and desktops," said Dan Ingevaldson, ISS team leader for uncovering security vulnerabilities.

He said that no known hacker tool has been posted to exploit the attack, but pointed out that the vulnerability is serious enough that ISS is urging companies with Unix systems from the six vendors to check with them about patch availability.

According to an advisory from CERT, the vulnerability exists in a function used by the Common Desktop Environment (CDE). Because of an error in the way requests from clients are validated, hackers could manipulate data and cause a buffer overflow.

CERT said many common Unix and Linux systems ship with CDE installed and enabled by default. Some Unix vendors have provided information, which is available at CERT's website.

CERT advised that until patches were available, users could lessen their exposure by limiting or blocking access to the Subprocess Control Services from untrusted networks.