X Font Server (xfs) Security Hole in Solaris
By Alanc-Oracle on Oct 08, 2007
As noted in the ZDNet posting X Font Server flaw hits Sun Solaris hard, the recently announced X font server vulnerabilities not only affect Solaris, but are exposed to the network by default in some Solaris installs.
What the article fails to mention is that it's only older installs that are vulnerable by default - Solaris versions up through Solaris 10 6/06 run xfs by default from inetd listening to the network. Solaris 10 11/06 and later Solaris 10 releases ask you at install time if you want your network services to default to being open or closed. Solaris Nevada/Express just closes them all by default and requires you to turn back on the ones you want. (These changes came from the Solaris Secure by Default project, which has more information on its project pages.)
Our sustaining teams are producing patches and a Sun Alert covering this issue, but until then, if you don't need the X font server (on Solaris it's really only used for remote desktop sessions from computers without the standard Solaris fonts already installed - unlike some Linux'es, local sessions don't use it), you can easily turn it off in several ways:
- On all Solaris releases: “
/usr/openwin/bin/fsadmin -d”, which will either break the link that inetd uses (Solaris 2.6-Solaris 9) or use inetadm to disable the
svc:/application/x11/xfsservice (Solaris 10 & later).
- On Solaris 10 and later, you can do the same thing explicitly with “
/usr/sbin/inetadm -d svc:/application/x11/xfs:default”.
- On Solaris 2.6 through 9, you can do the traditional editing of
/etc/inetd.confto disable it, then “
pkill -HUP inetd”.
- If you'll never need it, and want to be sure it's gone, remove the xfs package with “
Update: Oops, had a typo in one of the instructions above - should have been “
pkill -HUP inetd”, not kill. Also, as Paul noted in the comments
the Sun Alert is now published, with interim fixes soon to follow, at http://sunsolve.sun.com/search/document.do?assetkey=1-26-103114-1.