Date: Thu, 28 Mar 2002 09:03:01 -0600 From: Eric Anderson <anderson@centtech.com> To: David Pick <d.m.pick@qmul.ac.uk> Cc: Brett Glass <brett@lariat.org>, security@freebsd.org Subject: Re: Is FreeBSD susceptible to this vulnerability? Message-ID: <3CA330A5.463E4595@centtech.com> References: <E16qbLv-0004xx-00@xi.css.qmw.ac.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
In /etc/X11/xdm/Xaccess: #* #any host can get a login window So I think the default install is ok.. Eric David Pick wrote: > > > Apparently, several UNIX-like operating systems can be penetrated via > > XDMCP/UDP; see > > > > http://www.procheckup.com/security_info/vuln_pr0208.html > > > > Is FreeBSD vulnerable? What about the other BSDs? > > (All the following is from reading the notice and having used > XDM myself in the past; not from reading the code...) > > The notice says it's an "information leakage" vulnerability that > can leak information useful for otherwise unrelated brute-force > attacks. > > It's also more a matter of the default configurations for the > XMDCP daemon rather than the code of the daemon. > > The FreeBSD default configuratin *is* vulnerable but doesn't > gratuitously leak information (for example by providing lists > of valid users). So it's no more or less vulnerable than having > an open listening "telnet" service. Or an open "finger" service. > However, the notice is worthwhile because it points out that > such leakage can happen via services that use UDP as well as > services using TCP. > > -- > David Pick > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology You have my continuous partial attention ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3CA330A5.463E4595>