{"vuid":"VU#179804","idnumber":"179804","name":"Common Desktop Environment (CDE) dtlogin XDMCP parser improperly deallocates memory","keywords":["CDE","dtlogin","XDMCPD","X-query","port 177/udp","UDP packet","remotely exploitable"],"overview":"A \"double-free\" vulnerability in the CDE dtlogin program could allow a remote attacker to execute arbitrary code or cause a denial of service on a vulnerable system.","clean_desc":"The Common Desktop Environment (CDE) is an integrated graphical user interface that runs on UNIX and Linux operating systems. The dtlogin program contains a \"double-free\" vulnerability that can be triggered by a specially crafted X Display Manager Control Protocol (XDMCP) packet.","impact":"Depending on configuration, operating system, and platform architecture, an unauthenticated, remote attacker could execute arbitrary code, read sensitive information, or cause a denial of service.","resolution":"The CERT/CC is currently unaware of a practical solution to this problem. Updated vendor information will be made available in the Systems Affected section below.","workarounds":"Block or Restrict XDMCP Traffic Block XDMCP traffic (177/udp) from untrusted networks such as the Internet. Keep in mind that blocking ports at a network perimeter does not protect the vulnerable service from the internal network. In most cases, it is trivial for an attacker to spoof the source of a UDP packet, so restricting xdmcp access to specific IP addresses may be ineffective. Consider network configuration and service requirements before deciding what changes are appropriate. Disable xdmcp in dtlogin Depending on service requirements, disable XDMCP support in dtlogin. On a SunOS 5.8 system: /usr/dt/config/Xconfig /etc/dt/config/Xconfig #  To disable listening for XDMCP requests from X-terminals. Dtlogin.requestPort:       0","sysaffected":"","thanks":"This vulnerability was publicly reported by Dave Aitel of Immunity, Inc.","author":"This document was written by Art Manion.","public":["http://lists.immunitysec.com/pipermail/dailydave/2004-March/000402.html","http://www.securityfocus.com/archive/1/358380","http://www.securityfocus.com/archive/1/358426","http://secunia.com/advisories/11210/","http://secunia.com/advisories/11214/","http://secunia.com/advisories/11614/","http://secunia.com/advisories/11495/"],"cveids":["CVE-2004-0368"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2004-03-23T21:31:48Z","publicdate":"2004-03-23T00:00:00Z","datefirstpublished":"2004-03-24T05:25:39Z","dateupdated":"2004-06-23T17:51:14Z","revision":23,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"17","cam_exploitation":"0","cam_internetinfrastructure":"8","cam_population":"18","cam_impact":"20","cam_easeofexploitation":"9","cam_attackeraccessrequired":"17","cam_scorecurrent":"25.81875","cam_scorecurrentwidelyknown":"28.917","cam_scorecurrentwidelyknownexploited":"49.572","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":25.81875,"vulnote":null}