Vulnerabilities > CVE-2017-10971 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in X.Org Xorg-Server

047910
CVSS 8.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
x-org
CWE-119
nessus

Summary

In the X.Org X server before 2017-06-19, a user authenticated to an X Session could crash or execute code in the context of the X Server by exploiting a stack overflow in the endianness conversion of X Events.

Vulnerable Configurations

Part Description Count
Application
X.Org
160

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2017-227-01.NASL
    descriptionNew xorg-server packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id102501
    published2017-08-16
    reporterThis script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/102501
    titleSlackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : xorg-server (SSA:2017-227-01)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Slackware Security Advisory 2017-227-01. The text 
    # itself is copyright (C) Slackware Linux, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(102501);
      script_version("$Revision: 1.3 $");
      script_cvs_date("$Date: 2018/01/26 17:57:43 $");
    
      script_cve_id("CVE-2017-10971", "CVE-2017-10972");
      script_xref(name:"SSA", value:"2017-227-01");
    
      script_name(english:"Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : xorg-server (SSA:2017-227-01)");
      script_summary(english:"Checks for updated packages in /var/log/packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Slackware host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "New xorg-server packages are available for Slackware 13.0, 13.1,
    13.37, 14.0, 14.1, 14.2, and -current to fix security issues."
      );
      # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2017&m=slackware-security.1288055
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?98ad384a"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:xorg-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:xorg-server-xephyr");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:xorg-server-xnest");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:xorg-server-xvfb");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:13.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:13.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:13.37");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2017/08/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/16");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.");
      script_family(english:"Slackware Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("slackware.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware");
    if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu);
    
    
    flag = 0;
    if (slackware_check(osver:"13.0", pkgname:"xorg-server", pkgver:"1.6.3", pkgarch:"i486", pkgnum:"4_slack13.0")) flag++;
    if (slackware_check(osver:"13.0", pkgname:"xorg-server-xephyr", pkgver:"1.6.3", pkgarch:"i486", pkgnum:"4_slack13.0")) flag++;
    if (slackware_check(osver:"13.0", pkgname:"xorg-server-xnest", pkgver:"1.6.3", pkgarch:"i486", pkgnum:"4_slack13.0")) flag++;
    if (slackware_check(osver:"13.0", pkgname:"xorg-server-xvfb", pkgver:"1.6.3", pkgarch:"i486", pkgnum:"4_slack13.0")) flag++;
    if (slackware_check(osver:"13.0", arch:"x86_64", pkgname:"xorg-server", pkgver:"1.6.3", pkgarch:"x86_64", pkgnum:"4_slack13.0")) flag++;
    if (slackware_check(osver:"13.0", arch:"x86_64", pkgname:"xorg-server-xephyr", pkgver:"1.6.3", pkgarch:"x86_64", pkgnum:"4_slack13.0")) flag++;
    if (slackware_check(osver:"13.0", arch:"x86_64", pkgname:"xorg-server-xnest", pkgver:"1.6.3", pkgarch:"x86_64", pkgnum:"4_slack13.0")) flag++;
    if (slackware_check(osver:"13.0", arch:"x86_64", pkgname:"xorg-server-xvfb", pkgver:"1.6.3", pkgarch:"x86_64", pkgnum:"4_slack13.0")) flag++;
    
    if (slackware_check(osver:"13.1", pkgname:"xorg-server", pkgver:"1.7.7", pkgarch:"i486", pkgnum:"4_slack13.1")) flag++;
    if (slackware_check(osver:"13.1", pkgname:"xorg-server-xephyr", pkgver:"1.7.7", pkgarch:"i486", pkgnum:"4_slack13.1")) flag++;
    if (slackware_check(osver:"13.1", pkgname:"xorg-server-xnest", pkgver:"1.7.7", pkgarch:"i486", pkgnum:"4_slack13.1")) flag++;
    if (slackware_check(osver:"13.1", pkgname:"xorg-server-xvfb", pkgver:"1.7.7", pkgarch:"i486", pkgnum:"4_slack13.1")) flag++;
    if (slackware_check(osver:"13.1", arch:"x86_64", pkgname:"xorg-server", pkgver:"1.7.7", pkgarch:"x86_64", pkgnum:"4_slack13.1")) flag++;
    if (slackware_check(osver:"13.1", arch:"x86_64", pkgname:"xorg-server-xephyr", pkgver:"1.7.7", pkgarch:"x86_64", pkgnum:"4_slack13.1")) flag++;
    if (slackware_check(osver:"13.1", arch:"x86_64", pkgname:"xorg-server-xnest", pkgver:"1.7.7", pkgarch:"x86_64", pkgnum:"4_slack13.1")) flag++;
    if (slackware_check(osver:"13.1", arch:"x86_64", pkgname:"xorg-server-xvfb", pkgver:"1.7.7", pkgarch:"x86_64", pkgnum:"4_slack13.1")) flag++;
    
    if (slackware_check(osver:"13.37", pkgname:"xorg-server", pkgver:"1.9.5", pkgarch:"i486", pkgnum:"4_slack13.37")) flag++;
    if (slackware_check(osver:"13.37", pkgname:"xorg-server-xephyr", pkgver:"1.9.5", pkgarch:"i486", pkgnum:"4_slack13.37")) flag++;
    if (slackware_check(osver:"13.37", pkgname:"xorg-server-xnest", pkgver:"1.9.5", pkgarch:"i486", pkgnum:"4_slack13.37")) flag++;
    if (slackware_check(osver:"13.37", pkgname:"xorg-server-xvfb", pkgver:"1.9.5", pkgarch:"i486", pkgnum:"4_slack13.37")) flag++;
    if (slackware_check(osver:"13.37", arch:"x86_64", pkgname:"xorg-server", pkgver:"1.9.5", pkgarch:"x86_64", pkgnum:"4_slack13.37")) flag++;
    if (slackware_check(osver:"13.37", arch:"x86_64", pkgname:"xorg-server-xephyr", pkgver:"1.9.5", pkgarch:"x86_64", pkgnum:"4_slack13.37")) flag++;
    if (slackware_check(osver:"13.37", arch:"x86_64", pkgname:"xorg-server-xnest", pkgver:"1.9.5", pkgarch:"x86_64", pkgnum:"4_slack13.37")) flag++;
    if (slackware_check(osver:"13.37", arch:"x86_64", pkgname:"xorg-server-xvfb", pkgver:"1.9.5", pkgarch:"x86_64", pkgnum:"4_slack13.37")) flag++;
    
    if (slackware_check(osver:"14.0", pkgname:"xorg-server", pkgver:"1.12.4", pkgarch:"i486", pkgnum:"3_slack14.0")) flag++;
    if (slackware_check(osver:"14.0", pkgname:"xorg-server-xephyr", pkgver:"1.12.4", pkgarch:"i486", pkgnum:"3_slack14.0")) flag++;
    if (slackware_check(osver:"14.0", pkgname:"xorg-server-xnest", pkgver:"1.12.4", pkgarch:"i486", pkgnum:"3_slack14.0")) flag++;
    if (slackware_check(osver:"14.0", pkgname:"xorg-server-xvfb", pkgver:"1.12.4", pkgarch:"i486", pkgnum:"3_slack14.0")) flag++;
    if (slackware_check(osver:"14.0", arch:"x86_64", pkgname:"xorg-server", pkgver:"1.12.4", pkgarch:"x86_64", pkgnum:"3_slack14.0")) flag++;
    if (slackware_check(osver:"14.0", arch:"x86_64", pkgname:"xorg-server-xephyr", pkgver:"1.12.4", pkgarch:"x86_64", pkgnum:"3_slack14.0")) flag++;
    if (slackware_check(osver:"14.0", arch:"x86_64", pkgname:"xorg-server-xnest", pkgver:"1.12.4", pkgarch:"x86_64", pkgnum:"3_slack14.0")) flag++;
    if (slackware_check(osver:"14.0", arch:"x86_64", pkgname:"xorg-server-xvfb", pkgver:"1.12.4", pkgarch:"x86_64", pkgnum:"3_slack14.0")) flag++;
    
    if (slackware_check(osver:"14.1", pkgname:"xorg-server", pkgver:"1.14.3", pkgarch:"i486", pkgnum:"4_slack14.1")) flag++;
    if (slackware_check(osver:"14.1", pkgname:"xorg-server-xephyr", pkgver:"1.14.3", pkgarch:"i486", pkgnum:"4_slack14.1")) flag++;
    if (slackware_check(osver:"14.1", pkgname:"xorg-server-xnest", pkgver:"1.14.3", pkgarch:"i486", pkgnum:"4_slack14.1")) flag++;
    if (slackware_check(osver:"14.1", pkgname:"xorg-server-xvfb", pkgver:"1.14.3", pkgarch:"i486", pkgnum:"4_slack14.1")) flag++;
    if (slackware_check(osver:"14.1", arch:"x86_64", pkgname:"xorg-server", pkgver:"1.14.3", pkgarch:"x86_64", pkgnum:"4_slack14.1")) flag++;
    if (slackware_check(osver:"14.1", arch:"x86_64", pkgname:"xorg-server-xephyr", pkgver:"1.14.3", pkgarch:"x86_64", pkgnum:"4_slack14.1")) flag++;
    if (slackware_check(osver:"14.1", arch:"x86_64", pkgname:"xorg-server-xnest", pkgver:"1.14.3", pkgarch:"x86_64", pkgnum:"4_slack14.1")) flag++;
    if (slackware_check(osver:"14.1", arch:"x86_64", pkgname:"xorg-server-xvfb", pkgver:"1.14.3", pkgarch:"x86_64", pkgnum:"4_slack14.1")) flag++;
    
    if (slackware_check(osver:"14.2", pkgname:"xorg-server", pkgver:"1.18.3", pkgarch:"i586", pkgnum:"3_slack14.2")) flag++;
    if (slackware_check(osver:"14.2", pkgname:"xorg-server-xephyr", pkgver:"1.18.3", pkgarch:"i586", pkgnum:"3_slack14.2")) flag++;
    if (slackware_check(osver:"14.2", pkgname:"xorg-server-xnest", pkgver:"1.18.3", pkgarch:"i586", pkgnum:"3_slack14.2")) flag++;
    if (slackware_check(osver:"14.2", pkgname:"xorg-server-xvfb", pkgver:"1.18.3", pkgarch:"i586", pkgnum:"3_slack14.2")) flag++;
    if (slackware_check(osver:"14.2", arch:"x86_64", pkgname:"xorg-server", pkgver:"1.18.3", pkgarch:"x86_64", pkgnum:"3_slack14.2")) flag++;
    if (slackware_check(osver:"14.2", arch:"x86_64", pkgname:"xorg-server-xephyr", pkgver:"1.18.3", pkgarch:"x86_64", pkgnum:"3_slack14.2")) flag++;
    if (slackware_check(osver:"14.2", arch:"x86_64", pkgname:"xorg-server-xnest", pkgver:"1.18.3", pkgarch:"x86_64", pkgnum:"3_slack14.2")) flag++;
    if (slackware_check(osver:"14.2", arch:"x86_64", pkgname:"xorg-server-xvfb", pkgver:"1.18.3", pkgarch:"x86_64", pkgnum:"3_slack14.2")) flag++;
    
    if (slackware_check(osver:"current", pkgname:"xorg-server", pkgver:"1.19.3", pkgarch:"i586", pkgnum:"2")) flag++;
    if (slackware_check(osver:"current", pkgname:"xorg-server-xephyr", pkgver:"1.19.3", pkgarch:"i586", pkgnum:"2")) flag++;
    if (slackware_check(osver:"current", pkgname:"xorg-server-xnest", pkgver:"1.19.3", pkgarch:"i586", pkgnum:"2")) flag++;
    if (slackware_check(osver:"current", pkgname:"xorg-server-xvfb", pkgver:"1.19.3", pkgarch:"i586", pkgnum:"2")) flag++;
    if (slackware_check(osver:"current", arch:"x86_64", pkgname:"xorg-server", pkgver:"1.19.3", pkgarch:"x86_64", pkgnum:"2")) flag++;
    if (slackware_check(osver:"current", arch:"x86_64", pkgname:"xorg-server-xephyr", pkgver:"1.19.3", pkgarch:"x86_64", pkgnum:"2")) flag++;
    if (slackware_check(osver:"current", arch:"x86_64", pkgname:"xorg-server-xnest", pkgver:"1.19.3", pkgarch:"x86_64", pkgnum:"2")) flag++;
    if (slackware_check(osver:"current", arch:"x86_64", pkgname:"xorg-server-xvfb", pkgver:"1.19.3", pkgarch:"x86_64", pkgnum:"2")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2683.NASL
    descriptionAccording to the versions of the xorg-x11-server packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission check for -modulepath and -logfile options when starting Xorg. X server allows unprivileged users with the ability to log in to the system via physical console to escalate their privileges and run arbitrary code under root privileges.(CVE-2018-14665) - In the X.Org X server before 2017-06-19, a user authenticated to an X Session could crash or execute code in the context of the X Server by exploiting a stack overflow in the endianness conversion of X Events.(CVE-2017-10971) - In X.Org Server (aka xserver and xorg-server) before 1.19.4, an attacker authenticated to an X server with the X shared memory extension enabled can cause aborts of the X server or replace shared memory segments of other X clients in the same session.(CVE-2017-13721) - It was found that xorg-x11-server before 1.19.0 including uses memcmp() to check the received MIT cookie against a series of valid cookies. If the cookie is correct, it is allowed to attach to the Xorg session. Since most memcmp() implementations return after an invalid byte is seen, this causes a time difference between a valid and invalid byte, which could allow an efficient brute force attack.(CVE-2017-2624) - Uninitialized data in endianness conversion in the XEvent handling of the X.Org X Server before 2017-06-19 allowed authenticated malicious users to access potentially privileged data from the X server.(CVE-2017-10972) - xorg-x11-server before 1.19.5 had wrong extra length check in ProcXIChangeHierarchy function allowing malicious X client to cause X server to crash or possibly execute arbitrary code.(CVE-2017-12178) - xorg-x11-server before 1.19.5 was missing extra length validation in ProcEstablishConnection function allowing malicious X client to cause X server to crash or possibly execute arbitrary code.(CVE-2017-12176) - xorg-x11-server before 1.19.5 was missing length validation in MIT-SCREEN-SAVER extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code.(CVE-2017-12185) - xorg-x11-server before 1.19.5 was missing length validation in RENDER extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code.(CVE-2017-12187) - xorg-x11-server before 1.19.5 was missing length validation in XFIXES extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code.(CVE-2017-12183) - xorg-x11-server before 1.19.5 was missing length validation in XFree86 DGA extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code.(CVE-2017-12181) - xorg-x11-server before 1.19.5 was missing length validation in XFree86 DRI extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code.(CVE-2017-12182) - xorg-x11-server before 1.19.5 was missing length validation in XFree86 VidModeExtension allowing malicious X client to cause X server to crash or possibly execute arbitrary code.(CVE-2017-12180) - xorg-x11-server before 1.19.5 was missing length validation in XINERAMA extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code.(CVE-2017-12184) - xorg-x11-server before 1.19.5 was missing length validation in X-Resource extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code.(CVE-2017-12186) - xorg-x11-server before 1.19.5 was vulnerable to integer overflow in (S)ProcXIBarrierReleasePointer functions allowing malicious X client to cause X server to crash or possibly execute arbitrary code.(CVE-2017-12179) - xorg-x11-server before 1.19.5 was vulnerable to integer overflow in ProcDbeGetVisualInfo function allowing malicious X client to cause X server to crash or possibly execute arbitrary code.(CVE-2017-12177) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-08
    modified2019-12-18
    plugin id132218
    published2019-12-18
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132218
    titleEulerOS 2.0 SP3 : xorg-x11-server (EulerOS-SA-2019-2683)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(132218);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07");
    
      script_cve_id(
        "CVE-2017-10971",
        "CVE-2017-10972",
        "CVE-2017-12176",
        "CVE-2017-12177",
        "CVE-2017-12178",
        "CVE-2017-12179",
        "CVE-2017-12180",
        "CVE-2017-12181",
        "CVE-2017-12182",
        "CVE-2017-12183",
        "CVE-2017-12184",
        "CVE-2017-12185",
        "CVE-2017-12186",
        "CVE-2017-12187",
        "CVE-2017-13721",
        "CVE-2017-2624",
        "CVE-2018-14665"
      );
    
      script_name(english:"EulerOS 2.0 SP3 : xorg-x11-server (EulerOS-SA-2019-2683)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the xorg-x11-server packages installed,
    the EulerOS installation on the remote host is affected by the
    following vulnerabilities :
    
      - A flaw was found in xorg-x11-server before 1.20.3. An
        incorrect permission check for -modulepath and -logfile
        options when starting Xorg. X server allows
        unprivileged users with the ability to log in to the
        system via physical console to escalate their
        privileges and run arbitrary code under root
        privileges.(CVE-2018-14665)
    
      - In the X.Org X server before 2017-06-19, a user
        authenticated to an X Session could crash or execute
        code in the context of the X Server by exploiting a
        stack overflow in the endianness conversion of X
        Events.(CVE-2017-10971)
    
      - In X.Org Server (aka xserver and xorg-server) before
        1.19.4, an attacker authenticated to an X server with
        the X shared memory extension enabled can cause aborts
        of the X server or replace shared memory segments of
        other X clients in the same session.(CVE-2017-13721)
    
      - It was found that xorg-x11-server before 1.19.0
        including uses memcmp() to check the received MIT
        cookie against a series of valid cookies. If the cookie
        is correct, it is allowed to attach to the Xorg
        session. Since most memcmp() implementations return
        after an invalid byte is seen, this causes a time
        difference between a valid and invalid byte, which
        could allow an efficient brute force
        attack.(CVE-2017-2624)
    
      - Uninitialized data in endianness conversion in the
        XEvent handling of the X.Org X Server before 2017-06-19
        allowed authenticated malicious users to access
        potentially privileged data from the X
        server.(CVE-2017-10972)
    
      - xorg-x11-server before 1.19.5 had wrong extra length
        check in ProcXIChangeHierarchy function allowing
        malicious X client to cause X server to crash or
        possibly execute arbitrary code.(CVE-2017-12178)
    
      - xorg-x11-server before 1.19.5 was missing extra length
        validation in ProcEstablishConnection function allowing
        malicious X client to cause X server to crash or
        possibly execute arbitrary code.(CVE-2017-12176)
    
      - xorg-x11-server before 1.19.5 was missing length
        validation in MIT-SCREEN-SAVER extension allowing
        malicious X client to cause X server to crash or
        possibly execute arbitrary code.(CVE-2017-12185)
    
      - xorg-x11-server before 1.19.5 was missing length
        validation in RENDER extension allowing malicious X
        client to cause X server to crash or possibly execute
        arbitrary code.(CVE-2017-12187)
    
      - xorg-x11-server before 1.19.5 was missing length
        validation in XFIXES extension allowing malicious X
        client to cause X server to crash or possibly execute
        arbitrary code.(CVE-2017-12183)
    
      - xorg-x11-server before 1.19.5 was missing length
        validation in XFree86 DGA extension allowing malicious
        X client to cause X server to crash or possibly execute
        arbitrary code.(CVE-2017-12181)
    
      - xorg-x11-server before 1.19.5 was missing length
        validation in XFree86 DRI extension allowing malicious
        X client to cause X server to crash or possibly execute
        arbitrary code.(CVE-2017-12182)
    
      - xorg-x11-server before 1.19.5 was missing length
        validation in XFree86 VidModeExtension allowing
        malicious X client to cause X server to crash or
        possibly execute arbitrary code.(CVE-2017-12180)
    
      - xorg-x11-server before 1.19.5 was missing length
        validation in XINERAMA extension allowing malicious X
        client to cause X server to crash or possibly execute
        arbitrary code.(CVE-2017-12184)
    
      - xorg-x11-server before 1.19.5 was missing length
        validation in X-Resource extension allowing malicious X
        client to cause X server to crash or possibly execute
        arbitrary code.(CVE-2017-12186)
    
      - xorg-x11-server before 1.19.5 was vulnerable to integer
        overflow in (S)ProcXIBarrierReleasePointer functions
        allowing malicious X client to cause X server to crash
        or possibly execute arbitrary code.(CVE-2017-12179)
    
      - xorg-x11-server before 1.19.5 was vulnerable to integer
        overflow in ProcDbeGetVisualInfo function allowing
        malicious X client to cause X server to crash or
        possibly execute arbitrary code.(CVE-2017-12177)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2683
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?46718661");
      script_set_attribute(attribute:"solution", value:
    "Update the affected xorg-x11-server packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Xorg X11 Server SUID modulepath Privilege Escalation');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/12/18");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/18");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:xorg-x11-server-Xephyr");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:xorg-x11-server-Xorg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:xorg-x11-server-common");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(3)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP3");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP3", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["xorg-x11-server-Xephyr-1.17.2-10.h6",
            "xorg-x11-server-Xorg-1.17.2-10.h6",
            "xorg-x11-server-common-1.17.2-10.h6"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"3", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xorg-x11-server");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3905.NASL
    descriptionTwo security issues have been discovered in the X.org X server, which may lead to privilege escalation or an information leak.
    last seen2020-06-01
    modified2020-06-02
    plugin id101323
    published2017-07-10
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101323
    titleDebian DSA-3905-1 : xorg-server - security update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-3905. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(101323);
      script_version("3.8");
      script_cvs_date("Date: 2018/11/10 11:49:38");
    
      script_cve_id("CVE-2017-10971", "CVE-2017-10972");
      script_xref(name:"DSA", value:"3905");
    
      script_name(english:"Debian DSA-3905-1 : xorg-server - security update");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Two security issues have been discovered in the X.org X server, which
    may lead to privilege escalation or an information leak."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867492"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/jessie/xorg-server"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/stretch/xorg-server"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2017/dsa-3905"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the xorg-server packages.
    
    For the oldstable distribution (jessie), these problems have been
    fixed in version 2:1.16.4-1+deb8u1.
    
    For the stable distribution (stretch), these problems have been fixed
    in version 2:1.19.2-1+deb9u1. Setups running root-less X are not
    affected."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xorg-server");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2017/07/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/10");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"8.0", prefix:"xdmx", reference:"2:1.16.4-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"xdmx-tools", reference:"2:1.16.4-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"xnest", reference:"2:1.16.4-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"xorg-server-source", reference:"2:1.16.4-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"xserver-common", reference:"2:1.16.4-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"xserver-xephyr", reference:"2:1.16.4-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"xserver-xorg-core", reference:"2:1.16.4-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"xserver-xorg-core-dbg", reference:"2:1.16.4-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"xserver-xorg-core-udeb", reference:"2:1.16.4-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"xserver-xorg-dev", reference:"2:1.16.4-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"xvfb", reference:"2:1.16.4-1+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"xwayland", reference:"2:1.16.4-1+deb8u1")) flag++;
    if (deb_check(release:"9.0", prefix:"xdmx", reference:"2:1.19.2-1+deb9u1")) flag++;
    if (deb_check(release:"9.0", prefix:"xdmx-tools", reference:"2:1.19.2-1+deb9u1")) flag++;
    if (deb_check(release:"9.0", prefix:"xnest", reference:"2:1.19.2-1+deb9u1")) flag++;
    if (deb_check(release:"9.0", prefix:"xorg-server-source", reference:"2:1.19.2-1+deb9u1")) flag++;
    if (deb_check(release:"9.0", prefix:"xserver-common", reference:"2:1.19.2-1+deb9u1")) flag++;
    if (deb_check(release:"9.0", prefix:"xserver-xephyr", reference:"2:1.19.2-1+deb9u1")) flag++;
    if (deb_check(release:"9.0", prefix:"xserver-xorg-core", reference:"2:1.19.2-1+deb9u1")) flag++;
    if (deb_check(release:"9.0", prefix:"xserver-xorg-core-udeb", reference:"2:1.19.2-1+deb9u1")) flag++;
    if (deb_check(release:"9.0", prefix:"xserver-xorg-dev", reference:"2:1.19.2-1+deb9u1")) flag++;
    if (deb_check(release:"9.0", prefix:"xserver-xorg-legacy", reference:"2:1.19.2-1+deb9u1")) flag++;
    if (deb_check(release:"9.0", prefix:"xvfb", reference:"2:1.19.2-1+deb9u1")) flag++;
    if (deb_check(release:"9.0", prefix:"xwayland", reference:"2:1.19.2-1+deb9u1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1026.NASL
    descriptionCVE-2017-10971 A user authenticated to an X Session could crash or execute code in the context of the X Server by exploiting a stack overflow in the endianness conversion of X Events. CVE-2017-10972 Uninitialized data in endianness conversion in the XEvent handling of the X.Org X Server allowed authenticated malicious users to access potentially privileged data from the X server. For Debian 7
    last seen2020-03-17
    modified2017-07-17
    plugin id101552
    published2017-07-17
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101552
    titleDebian DLA-1026-1 : xorg-server security update
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-1859-1.NASL
    descriptionThis update for xorg-x11-server provides the following fixes : - CVE-2017-10971: Fix endianess handling of GenericEvent to prevent a stack overflow by clients. (bnc#1035283) - Make sure the type of all events to be sent by ProcXSendExtensionEvent are in the allowed range. - CVE-2017-10972: Initialize the xEvent eventT with zeros to avoid information leakage. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id101763
    published2017-07-17
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101763
    titleSUSE SLES12 Security Update : xorg-x11-server (SUSE-SU-2017:1859-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-1861-1.NASL
    descriptionThis update for xorg-x11-server fixes the following issues : - CVE-2017-10971: Fix endianess handling of GenericEvent to prevent a stack overflow by clients. (bnc#1035283) - Make sure the type of all events to be sent by ProcXSendExtensionEvent are in the allowed range. - CVE-2017-10972: Initialize the xEvent eventT with zeros to avoid information leakage. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id101765
    published2017-07-17
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101765
    titleSUSE SLES12 Security Update : xorg-x11-server (SUSE-SU-2017:1861-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-825.NASL
    descriptionThis update for xorg-x11-server fixes the following issues : - CVE-2017-10971: Fix endianess handling of GenericEvent to prevent a stack overflow by clients. (bnc#1035283) - Make sure the type of all events to be sent by ProcXSendExtensionEvent are in the allowed range. - CVE-2017-10972: Initialize the xEvent eventT with zeros to avoid information leakage. - Improve retrieval of entropy for generating random authentication cookies (boo#1025084)
    last seen2020-06-05
    modified2017-07-17
    plugin id101760
    published2017-07-17
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/101760
    titleopenSUSE Security Update : xorg-x11-server (openSUSE-2017-825)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3362-1.NASL
    descriptionIt was discovered that the X.Org X server incorrectly handled endianness conversion of certain X events. An attacker able to connect to an X server, either locally or remotely, could use this issue to crash the server, or possibly execute arbitrary code as an administrator. (CVE-2017-10971) It was discovered that the X.Org X server incorrectly handled endianness conversion of certain X events. An attacker able to connect to an X server, either locally or remotely, could use this issue to possibly obtain sensitive information. (CVE-2017-10972) Eric Sesterhenn discovered that the X.Org X server incorrectly compared MIT cookies. An attacker could possibly use this issue to perform a timing attack and recover the MIT cookie. (CVE-2017-2624). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id101949
    published2017-07-25
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101949
    titleUbuntu 14.04 LTS / 16.04 LTS / 17.04 : xorg-server, xorg-server-hwe-16.04, xorg-server-lts-xenial vulnerabilities (USN-3362-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-1860-1.NASL
    descriptionThis update for xorg-x11-server provides the following fixes : - CVE-2017-10971: Fix endianess handling of GenericEvent to prevent a stack overflow by clients. (bnc#1035283) - Make sure the type of all events to be sent by ProcXSendExtensionEvent are in the allowed range. - CVE-2017-10972: Initialize the xEvent eventT with zeros to avoid information leakage. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id101764
    published2017-07-17
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101764
    titleSUSE SLED12 / SLES12 Security Update : xorg-x11-server (SUSE-SU-2017:1860-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-1850-1.NASL
    descriptionThis update for xorg-x11-server fixes the following issues : - CVE-2017-10971: Fix endianess handling of GenericEvent to prevent a stack overflow by clients. (bnc#1035283) - Make sure the type of all events to be sent by ProcXSendExtensionEvent are in the allowed range. - CVE-2017-10972: Initialize the xEvent eventT with zeros to avoid information leakage. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id101520
    published2017-07-13
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101520
    titleSUSE SLES11 Security Update : xorg-x11-server (SUSE-SU-2017:1850-1)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_AB881A74C0164E6D9F7D68C8E7CEDAFB.NASL
    descriptionxorg-server developers reports : In the X.Org X server before 2017-06-19, a user authenticated to an X Session could crash or execute code in the context of the X Server by exploiting a stack overflow in the endianness conversion of X Events. Uninitialized data in endianness conversion in the XEvent handling of the X.Org X Server before 2017-06-19 allowed authenticated malicious users to access potentially privileged data from the X server.
    last seen2020-06-01
    modified2020-06-02
    plugin id103909
    published2017-10-18
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103909
    titleFreeBSD : xorg-server -- Multiple Issues (ab881a74-c016-4e6d-9f7d-68c8e7cedafb)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2421.NASL
    descriptionAccording to the versions of the xorg-x11-server packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - xorg-x11-server before 1.19.5 was vulnerable to integer overflow in ProcDbeGetVisualInfo function allowing malicious X client to cause X server to crash or possibly execute arbitrary code.(CVE-2017-12177) - xorg-x11-server before 1.19.5 had wrong extra length check in ProcXIChangeHierarchy function allowing malicious X client to cause X server to crash or possibly execute arbitrary code.(CVE-2017-12178) - xorg-x11-server before 1.19.5 was vulnerable to integer overflow in (S)ProcXIBarrierReleasePointer functions allowing malicious X client to cause X server to crash or possibly execute arbitrary code.(CVE-2017-12179) - xorg-x11-server before 1.19.5 was missing length validation in XFree86 VidModeExtension allowing malicious X client to cause X server to crash or possibly execute arbitrary code.(CVE-2017-12180) - xorg-x11-server before 1.19.5 was missing length validation in XFree86 DGA extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code.(CVE-2017-12181) - xorg-x11-server before 1.19.5 was missing length validation in XFree86 DRI extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code.(CVE-2017-12182) - xorg-x11-server before 1.19.5 was missing length validation in XFIXES extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code.(CVE-2017-12183) - xorg-x11-server before 1.19.5 was missing length validation in XINERAMA extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code.(CVE-2017-12184) - xorg-x11-server before 1.19.5 was missing length validation in MIT-SCREEN-SAVER extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code.(CVE-2017-12185) - xorg-x11-server before 1.19.5 was missing length validation in X-Resource extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code.(CVE-2017-12186) - xorg-x11-server before 1.19.5 was missing length validation in RENDER extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code.(CVE-2017-12187) - In X.Org Server (aka xserver and xorg-server) before 1.19.4, an attacker authenticated to an X server with the X shared memory extension enabled can cause aborts of the X server or replace shared memory segments of other X clients in the same session.(CVE-2017-13721) - It was found that xorg-x11-server before 1.19.0 including uses memcmp() to check the received MIT cookie against a series of valid cookies. If the cookie is correct, it is allowed to attach to the Xorg session. Since most memcmp() implementations return after an invalid byte is seen, this causes a time difference between a valid and invalid byte, which could allow an efficient brute force attack.(CVE-2017-2624) - A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission check for -modulepath and -logfile options when starting Xorg. X server allows unprivileged users with the ability to log in to the system via physical console to escalate their privileges and run arbitrary code under root privileges.(CVE-2018-14665) - In the X.Org X server before 2017-06-19, a user authenticated to an X Session could crash or execute code in the context of the X Server by exploiting a stack overflow in the endianness conversion of X Events.(CVE-2017-10971) - Uninitialized data in endianness conversion in the XEvent handling of the X.Org X Server before 2017-06-19 allowed authenticated malicious users to access potentially privileged data from the X server.(CVE-2017-10972) - xorg-x11-server before 1.19.5 was missing extra length validation in ProcEstablishConnection function allowing malicious X client to cause X server to crash or possibly execute arbitrary code.(CVE-2017-12176) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-08
    modified2019-12-10
    plugin id131913
    published2019-12-10
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131913
    titleEulerOS 2.0 SP2 : xorg-x11-server (EulerOS-SA-2019-2421)