A vulnerability in Solaris puts systems running the Sun Microsystems operating system at risk of being taken over by an attacker, experts warned on Monday.
A buffer overflow flaw lies in Sun's implementation of the X Windows Font Service (XFS), which serves font files to clients and runs by default on all versions of Solaris, according to advisories issued by Internet Security Systems (ISS) and the Computer Emergency Response Team/Coordination Center (CERT/CC).
By formulating a specific XFS query, remote attackers can either crash the service or run arbitrary code with the privileges of the "nobody user". This privilege level is limited and similar to a normal user. However, after gaining access an attacker could use privilege escalation flaws to attain root status, the highest privilege level, ISS said.
The XFS service (fs.auto) uses a high TCP (Transmission Control Protocol) port, which mitigates the risk as such ports are typically blocked by firewalls, preventing an attack from the public Internet, said Gunter Ollmann, manager of X-Force Security Assessment Services at ISS in London.
"Normally this service would not be available over the Internet because it would be protected by a firewall, but internally this service is commonly available," he said.
The vulnerable service exposed on a corporate network makes an attack from the inside possible, but can also facilitate an attacker on the outside, Ollmann noted. Should a host that is accessible from the Internet get compromised, an attacker could cascade attacks and gain access to a Solaris machine by exploiting the XFS vulnerability, he said.
Sun told ISS and the CERT/CC that it is working on a software update. Meanwhile, ISS advises users to disable XFS unless it is explicitly required and investigate firewall settings.
The ISS X-Force advisory is available here.
The CERT/CC advisory is available here.