Описание
LookupCol.c in X.Org X through X11R7.7 and libX11 before 1.7.1 might allow remote attackers to execute arbitrary code. The libX11 XLookupColor request (intended for server-side color lookup) contains a flaw allowing a client to send color-name requests with a name longer than the maximum size allowed by the protocol (and also longer than the maximum packet size for normal-sized packets). The user-controlled data exceeding the maximum size is then interpreted by the server as additional X protocol requests and executed, e.g., to disable X server authorization completely. For example, if the victim encounters malicious terminal control sequences for color codes, then the attacker may be able to take full control of the running graphical session.
A missing validation flaw was found in libX11. This flaw allows an attacker to inject X11 protocol commands on X clients, and in some cases, also bypass, authenticate (via injection of control characters), or potentially execute arbitrary code with permissions of the application compiled with libX11. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Отчет
This flaw was rated with an important severity as it allows an attacker to inject X11 protocol commands on X clients with the privileges of the application linked with the libX11 library, potentially having administrative privileges. However, Red Hat Enterprise Linux 8 and 9 do not run the Xorg server with root privileges, lowering the security impact of this issue. For this reason, Red Hat Enterprise Linux 8 and 9 have been rated with a moderate severity.
Меры по смягчению последствий
xterm should not be used to display less trusted data, e.g. from SSH connections to less trusted remote machines. To avoid attacks via .Xdefaults on kiosk type machines, where graphical user has no permission to execute arbitrary operating system commands or sometimes not even to send hardware keyboard keystrokes, the .Xdefaults must not be modifiable by the user.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | libX11 | Out of support scope | ||
| Red Hat Enterprise Linux 9 | libX11 | Will not fix | ||
| Red Hat Ansible Tower 3.8 for RHEL 7 | ansible-tower-38/ansible-tower-rhel7 | Fixed | RHBA-2021:3472 | 08.09.2021 |
| Red Hat Enterprise Linux 7 | libX11 | Fixed | RHSA-2021:3296 | 30.08.2021 |
| Red Hat Enterprise Linux 8 | libX11 | Fixed | RHSA-2021:4326 | 09.11.2021 |
| Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 | redhat-virtualization-host | Fixed | RHSA-2021:3477 | 09.09.2021 |
Показывать по
Дополнительная информация
Статус:
EPSS
8.1 High
CVSS3
Связанные уязвимости
LookupCol.c in X.Org X through X11R7.7 and libX11 before 1.7.1 might allow remote attackers to execute arbitrary code. The libX11 XLookupColor request (intended for server-side color lookup) contains a flaw allowing a client to send color-name requests with a name longer than the maximum size allowed by the protocol (and also longer than the maximum packet size for normal-sized packets). The user-controlled data exceeding the maximum size is then interpreted by the server as additional X protocol requests and executed, e.g., to disable X server authorization completely. For example, if the victim encounters malicious terminal control sequences for color codes, then the attacker may be able to take full control of the running graphical session.
LookupCol.c in X.Org X through X11R7.7 and libX11 before 1.7.1 might allow remote attackers to execute arbitrary code. The libX11 XLookupColor request (intended for server-side color lookup) contains a flaw allowing a client to send color-name requests with a name longer than the maximum size allowed by the protocol (and also longer than the maximum packet size for normal-sized packets). The user-controlled data exceeding the maximum size is then interpreted by the server as additional X protocol requests and executed, e.g., to disable X server authorization completely. For example, if the victim encounters malicious terminal control sequences for color codes, then the attacker may be able to take full control of the running graphical session.
LookupCol.c in X.Org X through X11R7.7 and libX11 before 1.7.1 might a ...
EPSS
8.1 High
CVSS3