X11 Server Unauthenticated Access (CVE-1999-0526)

The Information Security Office (ISO) has been scanning for machines running unprotected X11 servers. ISO will disable network access if steps are not taken to enable authentication in a timely manner (typically 72 hours). Please see their description of the issue and possible resolutions below. If you receive a NISC notification regarding this issue and your X11 environment does not match the configurations listed, please feel free to contact the Information Security Office at iso-ir@andrew.cmu.edu or 412.268.2044.

Additional Info provide by ISO:

Description of the issue detected:

An X server’s access control is disabled (e.g. through an “xhost +” command) and allows anyone to connect to the server.

The remote X11 server accepts connection from anywhere. An attacker may connect to it to eavesdrop on the keyboard and mouse events of a user on the remote host. It is even possible for an attacker to grab a screenshot of the remote host or to display arbitrary programs.

An attacker may exploit this flaw to obtain the username and password of a user on the remote host.

The X-Win32 client by default allows incoming X Windows sessions from any location.  Essentially this means that anyone on the internet may remotely open an X Windows application on your local computer. This may be used in some cases as a keylogger which could then capture sensitive information such as passwords or credit card numbers that you are typing in.

 

Evidence of the issue:

* Running XWindows service * Configuration item x11.unauthenticated.access set to ‘true’ matched

 

Potential Solutions:

Solution Summary: Forwarding X11 through SSH via PuTTy

Solution Type: WORKAROUND  Estimated remediation time: 00:30:00

PuTTy: * 1.) Run “PuTTY” found in the “X-Win32” program group of the “Start” menu. * 2.) Enter the desired remote hostname in the “Host Name (or IP address)” box * 3.) Click the “SSH” category from the left pane * 4.) Under “Preferred SSH Protocol Version”, select “2 only” * 5.) Click the “Tunnels” sub-category under “SSH” in the left pane * 6.) Checkmark “Enable X11 forwarding” at the top. * 7.) Click the “Session” category from the left pane. * 8.) Enter a meaningful name in the “Saved Sessions” box. * 9.) Click the “Save” button. * 10.) Repeat steps 1 through 9 for other remote hosts that you routinely use.

 

Forwarding X11 through SSH via SSH Secure Shell

Solution Type: WORKAROUND  Estimated remediation time: 00:30:00

SSH Secure Shell: * 1.) Run “Secure Shell Client” found in the “SSH Secure Shell” program group of the “Start” menu. * 2.) From the “File” menu, choose “Profiles” and then “Add Profile… * 3.) In the “Add Profile” box, type a meaningful name and click “Add to Profiles”. * 4.) From the “File” menu, choose “Profiles” and then “Edit Profile…” * 5.) Click the meaningful name of the profile you just created from the list on the left. * 6.) Click the “Connection” tab. * 7.) Enter the desired remote hostname in the “Host name:” box. * 8.) Enter your username on the remote system in the “User name:” box. * 9.) Click “OK” to confirm the changes. * 10.) From the “File” menu, choose “Profiles” and then “Edit Profile…” * 11.) Click the meaningful name of the profile you just created from the list on the left. * 12.) Click the “Tunneling” tab. * 13.) Checkmark “Tunnel X11 connections”. * 14.) Click “OK” to confirm the changes. * 15.) From the “File” menu, choose “Save Settings” to sa  ve the changes permanently. * 16.) Repeat steps 1 through 15 for other remote hosts that you routinely use.

 

X-Win32 Solution for restricting access to localhost

Solution Type: WORKAROUND  Estimated remediation time: 00:30:00

Configure X-Win32 to only allow connections from your local computer: * 1.) Run “X-Config” found in the “X-Win32” program group of the “Start” menu. * 2.) Click on the “Security” tab. * 3.) Click the “Add” button to the right of the “X-Host” list. * 4.) Type “127.0.0.1” (without the quotes) in the box that appears and click “OK”. * 5.) Checkmark the “Access Control” box Click the “OK” button to close “X-Config”.Note: If you have X-Win32 already running, you will need to restart it for the X-Config changes to take effect. * 6.) Configure SSH X11 forwarding to encrypt communication with the remote computers.Note: The exact steps vary based on which SSH client you are using. launch X Windows applications: * 1.) Run “X-Win32” from the “Start” menu. * 2.) Connect to the desired remote host using the saved Session (PuTTY) or Profile (Secure Shell SSH) from your preferred SSH client. * 3.) Launch your desired X Windows application from the new terminal session by typing the applicat  ion executable name followed by an “&”, for instance “xterm &” (without the quotes.)

 

UNIX Solution for disabling open access to X11

Solution Type: WORKAROUND  Estimated remediation time: 00:30:00

Implement one or more of: * Disable X11 from listening on TCP ports * Firewall X11’s TCP ports * Restrict access using xhost –

 

If none of these options are viable, please feel free to contact the Information Security Office at iso-ir@andrew.cmu.edu or 412.268.2044

—————————————

If you determine that the system has been compromised, please remove it from the network and contact the Infomation Security Office prior to taking any additional actions or running additional commands on the system.

We can be reached by email at iso-ir@andrew.cmu.edu, or by phone at 412.268.2044. The ISO-IR Hotline number is available 24×7 for emergencies

If your system contains restricted data or has access to restricted data, other than your own please report this before taking any action.

Please see the following link:

https://www.cmu.edu/iso/governance/guidelines/data-classification.html#appendixa

Before taking any action to correct a reported issue please read and follow the Procedure for Responding to a Compromised Computer:

https://www.cmu.edu/iso/governance/procedures/compromised-computer.html

Thank you,

Computing Services
Information Security Office

 

This entry was posted in News and tagged , , . Bookmark the permalink.