From owner-freebsd-security Thu Mar 28 6:58:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from zeta.qmw.ac.uk (zeta.qmw.ac.uk [138.37.6.6]) by hub.freebsd.org (Postfix) with ESMTP id 72FD937B419 for ; Thu, 28 Mar 2002 06:58:21 -0800 (PST) Received: from xi.css.qmw.ac.uk ([138.37.8.11]) by zeta.qmw.ac.uk with esmtp (Exim 3.32 #1) id 16qbLu-0003mA-00; Thu, 28 Mar 2002 14:58:10 +0000 Received: from cgaa180 by xi.css.qmw.ac.uk with local (Exim 1.92 #1) id 16qbLv-0004xx-00; Thu, 28 Mar 2002 14:58:11 +0000 X-Mailer: exmh version 2.0.2 2/24/98 To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: Is FreeBSD susceptible to this vulnerability? In-reply-to: Your message of "Thu, 28 Mar 2002 07:31:03 MST." <4.3.2.7.2.20020328072932.03228b20@nospam.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 28 Mar 2002 14:58:11 +0000 From: David Pick Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Apparently, several UNIX-like operating systems can be penetrated via > XDMCP/UDP; see > > http://www.procheckup.com/security_info/vuln_pr0208.html > > Is FreeBSD vulnerable? What about the other BSDs? (All the following is from reading the notice and having used XDM myself in the past; not from reading the code...) The notice says it's an "information leakage" vulnerability that can leak information useful for otherwise unrelated brute-force attacks. It's also more a matter of the default configurations for the XMDCP daemon rather than the code of the daemon. The FreeBSD default configuratin *is* vulnerable but doesn't gratuitously leak information (for example by providing lists of valid users). So it's no more or less vulnerable than having an open listening "telnet" service. Or an open "finger" service. However, the notice is worthwhile because it points out that such leakage can happen via services that use UDP as well as services using TCP. -- David Pick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message