Synthetic Playback Agent - XVFB (X11)- Security Vulnerability Discovered, How to Resolve?

by John Horton

If the following vulnerability is found by your security team regarding the IPM V8.1.3 Synthetic Playback Agent with respect to X11,



X11 SERVER UNAUTHENTICATED ACCESS (19948)                                
SYNOPSIS  The remote X11 server accepts connections from anywhere.       
DESCRIPTION  The remote X11 server accepts connections from anywhere.    
An attacker can connect to it to eavesdrop on the keyboard and mouse     
events of a user on the remote host. It is even possible for an          
attacker to grab a screenshot of the remote host or to display           
arbitrary programs. An attacker can exploit this flaw to obtain the      
username and password of a user on the remote host.                      
SEVERITY  CRITICAL                                                       
CVE  CVE-1999-0526                                                       
CVSS Score: 10 out of 10                                                 
ENVIRONMENT  PRODUCTION                                                       
VULNERABLE HOSTS REPORTED <>                            
OUTPUT  It was possible to gather the following screenshot of the        
remote computer.                                                         
SOLUTION  Restrict access to this port by using the 'xhost' command. If  
the X client/server facility is not used, disable TCP connections to     
the X server entirely.                                                   
ADDITIONAL REFERENCES                                                    
RECOMMENDED ACTION  VALIDATE FINDING                                     
Confirm accuracy of this finding.                                        
Disable if not required or apply IP based access restrictions to this    
VERSION TRACKING  8/2/2017                                               
Vulnerability identified in PRODUCTION internal vulnerability scan



Follow these steps to resolve the problem:

1) First check the XVFB display port, see blow sample, the output means  
the display port is :1                                                   
#ps -ef | grep Xvfb                                                      
root     19718     1  0 Mar13 ?        00:00:24 Xvfb :1 -screen 0        
1600x1200x16 -ac -extension GLX                                          
2) export the Display before running xhost                               
# export DISPLAY=:1                                                      
3) run "xhost" command to check access control, you may see oupout       
"access control disabled, clients can connect from any host", by         
default, access control is disabled,  so we need to enable               
# xhost                                                                  
access control disabled, clients can connect from any host               
4) run "xhost -" command to enable access control                        
# xhost -                                                                
access control enabled, only authorized clients can connect              
5) run "xhost" command again to check check access control, "localhost"  
should be included in the access contorl list, if it is not, then run    
"xhost +localhost"  command                                              
Enabling Xvfb access control does not impact the synthetic agent since   
synthetic agent is accessing Xvfb from localhost(localhost is in access  
list regarless of the user), and it will not also impact OS agents since
OS agent does not use Xvfb 

Recent Stories
Synthetic Playback Agent - XVFB (X11)- Security Vulnerability Discovered, How to Resolve?

Guardium Logging Errors for SQL Server Agent Queries

Download Rational Performance Tester for ITCAM for Transactions with Response Time