https://community.hpe.com/t5/operating-system-hp-ux/dtlogin-security/m-p/3297874#M746192 My prescribed solution is as follows directed by my Platform Specialist...<BR /><BR />--------------------------------------------------------<BR />The current fix is as follows:<BR />10.x systems: turn off dtlogin - unless users show a need for the process. No other fix is available for this OS.<BR />11.x systems: turn off dtlogin - unless users show a need for the process - until the patches are released on thpatch. The patches are PHSS_30668 for 11.00 and PHSS_30669 for 11.11<BR />After the patches have been installed, dtlogin can be turned back on. Patches are being tested now and are in the "stage" process - it is expected that they will be released in our next patch bundle.<BR /><BR />Please check if your users are using any of the "dt" processes: dtterm, dtsession, dtgreet, etc. before you turn off dtlogin. If they're using them, determine if they can access the server another way<BR /><BR />To stop the dtlogin process, type "/sbin/init.d/dtlogin.rc stop". <BR />Then, to prevent dtlogin from starting after a reboot, edit /etc/rc.config.d/desktop. Change the value of the DESKTOP variable from CDE to "". Here's what it looks like:<BR /> DESKTOP=CDE<BR /> change to:<BR /> DESKTOP=""<BR /><BR /> Mon, 07 Jun 2004 10:23:46 GMT Todd McDaniel_1 2004-06-07T10:23:46Z https://community.hpe.com/t5/operating-system-hp-ux/dtlogin-security/m-p/3297873#M746191 I got an email regarding a security alert for dtlogin.<BR /><BR />-------------------------------------------------------<BR />Risk Profile: Most Unix / Linux workstations come configured with CDE and dtlogin to handle login authentication. Systems that only support ASCII login from the console and do not support any XDMCP login to a server are not affected by this vulnerability.<BR /><BR />Exploit: There are exploits in the wild that an attacker can use to cause a DOS; it is not certain if there are exploits that will allow an attacker to execute arbitrary code.<BR /><BR />Feedback: Future Use <BR />Products known affected: Dtlogin process associated with CDE.<BR />OS known affected: UNIX / Linux<BR />-------------------------------------------------------<BR /><BR /><BR />My question is this, I have users who do terminal emulation with exporting the DISPLAY. Will this affect them if I turn off dtlogin??? <BR /><BR />OR <BR /><BR />Is DTlogin ONLY for console login access? I never use it b/c we have text only consoles on all our boxes. Will this even matter? Mon, 07 Jun 2004 10:22:52 GMT https://community.hpe.com/t5/operating-system-hp-ux/dtlogin-security/m-p/3297873#M746191 Todd McDaniel_1 2004-06-07T10:22:52Z https://community.hpe.com/t5/operating-system-hp-ux/dtlogin-security/m-p/3297874#M746192 My prescribed solution is as follows directed by my Platform Specialist...<BR /><BR />--------------------------------------------------------<BR />The current fix is as follows:<BR />10.x systems: turn off dtlogin - unless users show a need for the process. No other fix is available for this OS.<BR />11.x systems: turn off dtlogin - unless users show a need for the process - until the patches are released on thpatch. The patches are PHSS_30668 for 11.00 and PHSS_30669 for 11.11<BR />After the patches have been installed, dtlogin can be turned back on. Patches are being tested now and are in the "stage" process - it is expected that they will be released in our next patch bundle.<BR /><BR />Please check if your users are using any of the "dt" processes: dtterm, dtsession, dtgreet, etc. before you turn off dtlogin. If they're using them, determine if they can access the server another way<BR /><BR />To stop the dtlogin process, type "/sbin/init.d/dtlogin.rc stop". <BR />Then, to prevent dtlogin from starting after a reboot, edit /etc/rc.config.d/desktop. Change the value of the DESKTOP variable from CDE to "". Here's what it looks like:<BR /> DESKTOP=CDE<BR /> change to:<BR /> DESKTOP=""<BR /><BR /> Mon, 07 Jun 2004 10:23:46 GMT https://community.hpe.com/t5/operating-system-hp-ux/dtlogin-security/m-p/3297874#M746192 Todd McDaniel_1 2004-06-07T10:23:46Z https://community.hpe.com/t5/operating-system-hp-ux/dtlogin-security/m-p/3297875#M746193 shameless bump...<BR /><BR />*taps microphone* is this thing on???<BR /><BR />*crickets chirping*<BR /><BR />*wind blows*<BR /><BR />*time passes*<BR /><BR />*paint dries* ... again.<BR /><BR />*counted popcorn on my ceiling* ... twice.<BR /> Mon, 07 Jun 2004 14:29:04 GMT https://community.hpe.com/t5/operating-system-hp-ux/dtlogin-security/m-p/3297875#M746193 Todd McDaniel_1 2004-06-07T14:29:04Z https://community.hpe.com/t5/operating-system-hp-ux/dtlogin-security/m-p/3297876#M746194 You can actually do this safely.<BR /><BR />Use ssh for X login.<BR /><BR />Hummingbird offers an add in tha uses Secure shell/oppenssh instead of the vulnerable r-protocols.<BR /><BR />Totally disable the nasty r-stuff in inetd.conf<BR /><BR />Case closed.<BR /><BR />Never saw this one before, sorry.<BR /><BR />SEP Mon, 07 Jun 2004 14:43:35 GMT https://community.hpe.com/t5/operating-system-hp-ux/dtlogin-security/m-p/3297876#M746194 Steven E. Protter 2004-06-07T14:43:35Z https://community.hpe.com/t5/operating-system-hp-ux/dtlogin-security/m-p/3297877#M746195 Well we never use that type of console login anyway, and we dont use SSH.<BR /><BR />So I am really asking can I perform this without disabling any non-root exporting of DISPLAY to their desktop? Until I can get the patch loaded in a few weeks from now. Mon, 07 Jun 2004 14:50:15 GMT https://community.hpe.com/t5/operating-system-hp-ux/dtlogin-security/m-p/3297877#M746195 Todd McDaniel_1 2004-06-07T14:50:15Z https://community.hpe.com/t5/operating-system-hp-ux/dtlogin-security/m-p/3297878#M746196 btw, this is a new security problem that just came out this week... Mon, 07 Jun 2004 14:50:54 GMT https://community.hpe.com/t5/operating-system-hp-ux/dtlogin-security/m-p/3297878#M746196 Todd McDaniel_1 2004-06-07T14:50:54Z https://community.hpe.com/t5/operating-system-hp-ux/dtlogin-security/m-p/3297879#M746197 Here is the CERT on it... sorry for so many posts..<BR /><BR /><BR /><A href="http://www.kb.cert.org/vuls/id/179804" target="_blank">http://www.kb.cert.org/vuls/id/179804</A><BR /><BR /><BR /> Mon, 07 Jun 2004 14:51:52 GMT https://community.hpe.com/t5/operating-system-hp-ux/dtlogin-security/m-p/3297879#M746197 Todd McDaniel_1 2004-06-07T14:51:52Z https://community.hpe.com/t5/operating-system-hp-ux/dtlogin-security/m-p/3297880#M746198 Todd,<BR /><BR />Turning off "dtlogin" will not affect your 'export-display' programs as they use the local X-server to run.<BR /><BR />Only CDE-login is disabled.<BR /><BR />-Sri Mon, 07 Jun 2004 14:53:13 GMT https://community.hpe.com/t5/operating-system-hp-ux/dtlogin-security/m-p/3297880#M746198 Sridhar Bhaskarla 2004-06-07T14:53:13Z https://community.hpe.com/t5/operating-system-hp-ux/dtlogin-security/m-p/3297881#M746199 Shamless plug:<BR /><BR />Note that HP-UX Bastille can disable this and other network listening deamons for you.<BR /><BR />On 11.23(and up), if you pick a security-level, this won't be on in the first place. This can help lower the stress level for admins that prefer a "default off" approach, or want to decide interactively which services they want/need.<BR /><BR />The tool helps walk you through the choices by telling you what's affected when you turn something off.<BR /><BR /><A href="http://www.software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6849AA" target="_blank">http://www.software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6849AA</A> Tue, 08 Jun 2004 10:50:59 GMT https://community.hpe.com/t5/operating-system-hp-ux/dtlogin-security/m-p/3297881#M746199 Robert Fritz 2004-06-08T10:50:59Z