HPE Community
Operating System - HP-UX
1823753 Members
4088 Online
109664 Solutions
New Discussion юеВ

dtlogin security

 
Todd McDaniel_1
Honored Contributor

тАО06-07-2004 03:22 AM

тАО06-07-2004 03:22 AM

dtlogin security

I got an email regarding a security alert for dtlogin.

-------------------------------------------------------
Risk Profile: Most Unix / Linux workstations come configured with CDE and dtlogin to handle login authentication. Systems that only support ASCII login from the console and do not support any XDMCP login to a server are not affected by this vulnerability.

Exploit: There are exploits in the wild that an attacker can use to cause a DOS; it is not certain if there are exploits that will allow an attacker to execute arbitrary code.

Feedback: Future Use
Products known affected: Dtlogin process associated with CDE.
OS known affected: UNIX / Linux
-------------------------------------------------------


My question is this, I have users who do terminal emulation with exporting the DISPLAY. Will this affect them if I turn off dtlogin???

OR

Is DTlogin ONLY for console login access? I never use it b/c we have text only consoles on all our boxes. Will this even matter?
Unix, the other white meat.
0 Kudos
Reply
8 REPLIES 8
Todd McDaniel_1
Honored Contributor

тАО06-07-2004 03:23 AM

тАО06-07-2004 03:23 AM

Re: dtlogin security

My prescribed solution is as follows directed by my Platform Specialist...

--------------------------------------------------------
The current fix is as follows:
10.x systems: turn off dtlogin - unless users show a need for the process. No other fix is available for this OS.
11.x systems: turn off dtlogin - unless users show a need for the process - until the patches are released on thpatch. The patches are PHSS_30668 for 11.00 and PHSS_30669 for 11.11
After the patches have been installed, dtlogin can be turned back on. Patches are being tested now and are in the "stage" process - it is expected that they will be released in our next patch bundle.

Please check if your users are using any of the "dt" processes: dtterm, dtsession, dtgreet, etc. before you turn off dtlogin. If they're using them, determine if they can access the server another way

To stop the dtlogin process, type "/sbin/init.d/dtlogin.rc stop".
Then, to prevent dtlogin from starting after a reboot, edit /etc/rc.config.d/desktop. Change the value of the DESKTOP variable from CDE to "". Here's what it looks like:
DESKTOP=CDE
change to:
DESKTOP=""

Unix, the other white meat.
0 Kudos
Reply
Todd McDaniel_1
Honored Contributor

тАО06-07-2004 07:29 AM

тАО06-07-2004 07:29 AM

Re: dtlogin security

shameless bump...

*taps microphone* is this thing on???

*crickets chirping*

*wind blows*

*time passes*

*paint dries* ... again.

*counted popcorn on my ceiling* ... twice.
Unix, the other white meat.
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО06-07-2004 07:43 AM

тАО06-07-2004 07:43 AM

Re: dtlogin security

You can actually do this safely.

Use ssh for X login.

Hummingbird offers an add in tha uses Secure shell/oppenssh instead of the vulnerable r-protocols.

Totally disable the nasty r-stuff in inetd.conf

Case closed.

Never saw this one before, sorry.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Todd McDaniel_1
Honored Contributor

тАО06-07-2004 07:50 AM

тАО06-07-2004 07:50 AM

Re: dtlogin security

Well we never use that type of console login anyway, and we dont use SSH.

So I am really asking can I perform this without disabling any non-root exporting of DISPLAY to their desktop? Until I can get the patch loaded in a few weeks from now.
Unix, the other white meat.
0 Kudos
Reply
Todd McDaniel_1
Honored Contributor

тАО06-07-2004 07:50 AM

тАО06-07-2004 07:50 AM

Re: dtlogin security

btw, this is a new security problem that just came out this week...
Unix, the other white meat.
0 Kudos
Reply
Todd McDaniel_1
Honored Contributor

тАО06-07-2004 07:51 AM

тАО06-07-2004 07:51 AM

Re: dtlogin security

Here is the CERT on it... sorry for so many posts..


http://www.kb.cert.org/vuls/id/179804


Unix, the other white meat.
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

тАО06-07-2004 07:53 AM

тАО06-07-2004 07:53 AM

Re: dtlogin security

Todd,

Turning off "dtlogin" will not affect your 'export-display' programs as they use the local X-server to run.

Only CDE-login is disabled.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Robert Fritz
Regular Advisor

тАО06-08-2004 03:50 AM

тАО06-08-2004 03:50 AM

Re: dtlogin security

Shamless plug:

Note that HP-UX Bastille can disable this and other network listening deamons for you.

On 11.23(and up), if you pick a security-level, this won't be on in the first place. This can help lower the stress level for admins that prefer a "default off" approach, or want to decide interactively which services they want/need.

The tool helps walk you through the choices by telling you what's affected when you turn something off.

http://www.software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6849AA
Those Who Would Sacrifice Liberty for Security Deserve Neither." - Benjamin Franklin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.