Threat Update | X.Org Security Advisory
December 22, 2014
This advisory outlines vulnerabilities affecting servers running "X Windows", a graphical user interface common in Unix, Linux and related platforms, and less commonly on MS Windows computers when installed by end-users.
This is rated CRITICAL due to the possibility of denial of service attacks or the possibility of allowing unauthorized and undesirable programs to execute.
There are effective controls and changes that can implement to address these issues that are detailed below.
These issues date back to the 80's and 90's - thus affecting most X.Org running systems out there. The oldest of these vulnerabilities go back to 1987 with X11 core protocol requests.
There are various CVEs associated with this advisory:
- CVE-2014-8091: SUN-DES-1 unauthenticated access
- CVE-2014-8092: X11 core protocol requests
- CVE-2014-8094: DRI2 extension
- CVE-2014-8095: XInput extension
- CVE-2014-8096: XC-MISC extension
- CVE-2014-8097: DBE extension
- CVE-2014-8098: GLX extension
- CVE-2014-8099: XVideo extension
- CVE-2014-8100: Render extension
- CVE-2014-8101: RandR extension
- CVE-2014-8102: XFixes extension
- CVE-2014-8103: DRI3 & Present extensions
For the X11 servers on the network, we are developing additional correlation rules to track the number of X11 connections and watching for a change in the number of connections.
Review the scanning results for X11 servers active on the network. Apply fixes as they become available from the vendors.
Users can reduce their exposure to issues similar to the ones in this advisory via these methods:
- Configure the X server to prohibit X connections from the network by passing the -nolisten tcp command line option to the X server. Many OS distributions already set this option by default, and it will be set by default in the upstream X.Org release starting with Xorg 1.17.
- Disable GLX indirect contexts. Some implementations have a configuration option for this. In Xorg 1.16 or newer, this can be achieved by setting the -iglx X server command line option. This option will be the default in Xorg 1.17 and later releases.
Consult your operating system's documentation for details on setting X server command line options, as X servers are started by a variety of different methods on different platforms (startx, gdm, kdm, xdm, etc.).