=====================================================================
                                 CERT-Renater

                      Note d'Information No. 2004/VULN189
_____________________________________________________________________

DATE                      : 29/04/2004

HARDWARE PLATFORM(S)      : IBM.

OPERATING SYSTEM(S)       : AIX 4.3, 5.1 and 5.2.
                            
======================================================================


IBM SECURITY ADVISORY

First Issued: Tue Apr 27 11:14:40 CDT 2004

===========================================================================
VULNERABILITY SUMMARY

VULNERABILITY:      dtlogin improperly handles some XDMCP requests.

PLATFORMS:          AIX 4.3, 5.1 and 5.2.

SOLUTION:           Apply the workaround or APARs as described
below.

THREAT:             A remote attacker may cause a denial of service or
execute arbitrary code.

CERT VU Number:     VU#179804
CVE Number:         CAN-2004-0368
===========================================================================

                                                      DETAILED INFORMATION

I.  Description
===============
dtlogin attempts to authenticate a local or remote user and, if successful,
starts a session for that user. Remote sessions are handled through the X
Display Manager Control Protocol (XDMCP). A vulnerability has been
discovered in how dtlogin handles XDMCP requests which may allow a remote
attacker to launch a denial of service (DOS) attack against dtlogin or
execute arbitrary code. It is believed that there are exploits in the
wild that an attacker can use to cause a DOS; it is not certain if there
are exploits that will allow an attacker to execute arbitrary code.

dtlogin ships as part of the X11.Dt.rte fileset. To determine if this
fileset is installed, execute the following command:

# lslpp -L X11.Dt.rte

If the fileset is installed it will be listed along with its version
information, state, type and a description.


II. Impact
==========

A remote user may launch a denial of service attack against dtlogin or
execute arbitrary code.


III.  Solutions
===============

A. Official Fix

IBM provides the following fixes:

            APAR number for AIX 4.3.3:  IY55362 (available)
            APAR number for AIX 5.1.0:  IY55361 (available)
            APAR number for AIX 5.2.0:  IY55360 (available)

NOTE: Affected customers are urged to upgrade to 4.3.3, 5.1.0 or 5.2.0 at
the latest maintenance level.


B. Workaround

If dtlogin is not needed turn it off. Legitimate requests to dtlogin will
fail. CDE requires dtlogin to run. To turn dtlogin off, execute the
following command:

# /usr/dt/bin/dtconfig -kill

Verify that there are no remaining dtlogin processes. Executing the following
command will give the process ids for dtlogin processes:

# ps -ef | grep dtlogin

If there still are dtlogin processes running, manually kill them using the
following command:

# kill -9 <dtlogin process id>

To ensure that dtlogin does not restart on reboot, execute the following
command:

# /usr/dt/bin/dtconfig -d


IV. Obtaining Fixes
===================

AIX Version 4.3.3 and Version 5 APARs can be downloaded from
the eServer pSeries Fix Central web site:

            http://www-912.ibm.com/eserver/support/fixes/fcgui.jsp

Security related Emergency Fixes can be downloaded from:

            ftp://aix.software.ibm.com/aix/efixes/security

V.  Contact Information
========================

If you would like to receive AIX Security Advisories via email, please visit:
https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs

Comments regarding the content of this announcement can be directed to:

            security-alert@austin.ibm.com

To request the PGP public key that can be used to communicate securely
with the AIX Security Team send email to security-alert@austin.ibm.com
with a subject of "get key". The key can also be downloaded from a
PGP Public Key Server. The key id is 0x3AE561C3.

Please contact your local IBM AIX support center for any assistance.

eServer is a trademark of International Business Machines Corporation.
IBM, AIX and pSeries are registered trademarks of International Business
Machines Corporation. All other trademarks are property of their
respective holders.

======================================================================

        =========================================================
        Les serveurs de référence du CERT-Renater
        http://www.urec.fr/securite
        http://www.cru.fr/securite
        http://www.renater.fr 
	=========================================================
	+ CERT-RENATER		| tel : 01-53-94-20-44		+
	+ 151 bd de l'Hopital	| fax : 01-53-94-20-41		+
	+ 75013 Paris		| email: certsvp@renater.fr	+
	=========================================================