A vulnerability in a component of a graphical user interface that ships with several commercial Unix systems could let a malicious attacker take administrative control of an affected host system, according to an advisory Tuesday from the CERT Coordination Center at Carnegie Mellon University in Pittsburgh.
The vulnerability exists in a function used by the Common Desktop Environment (CDE) Subprocess Control Service, which is responsible for accepting requests from clients to execute commands and open applications remotely. Because of an error in the way requests from remote clients are validated, crackers could manipulate data and cause a buffer overflow.
The CDE is an integrated graphical user interface that runs on Unix and Linux systems. The affected software includes several versions of Hewlett-Packard's HP-UX, IBM's AIX, Sun Microsystems Inc.'s Solaris and Compaq Computer Corp.'s Tru64 Unix.
Patches that address the problem are available from some of the vendors, while a few others have acknowledged the problem and are investigating, according to the CERT advisory.
Until patches are available, one way for users to mitigate their exposure is to limit or block access to the Subprocess Control Service from untrusted networks, CERT advised.
