dataendure-banner.jpg

DataEndure Blog

Security

Security Advisory: Critical Vulnerability Found in Xorg X.Server Package

Shahin Pirooz | Oct 29, 2018 4:04:53 PM

Situation
A critical vulnerability was found in the Xorg X.Server package that is used on most major Linux operating systems.

Problem
The X.Server program does not properly handle and validate arguments for two command line options -modulepath and -logfile.

Implication 
This allows an unprivileged user who has access to the system to elevate their permissions and then execute malicious code or overwrite any file on the system.

Need
Xorg and all major Linux systems have issued a patch. Users can address this issue by patching their Linux systems directly or downloading the patch directly from Xorg. 

If users are unable to patch, X.Org recommends to remove the setuid bit (ie chmod 755) of the installed Xorg binary.  Note that this can cause issues if people are starting the X window system using the 'startx', 'xinit' commands or variations thereof. 

X.Org recommends the use of a display manager to start X sessions,

which does not require Xorg to be installed setuid.

Sign-up for DataEndure’s Free Vulnerability Health Check