Open X Display Manager Control Protocol (XDMCP) service

Follow

Overview

The X Display Manager Control Protocol (XDMCP) in Linux and Unix operating systems allows users to login to machines from remote locations. This protocol contains a security weakness that can allow an attacker to view the graphical login screen from any host location.

This weakness can allow the attacker to obtain a list of users and possibly gain remote control of the system. The attacker would need to know or guess the password for the account that they wish to log in to. Most systems do not allow remote users to log in to the root account from this login screen. [1]

In addition to potentially opening your system to direct attack, AusCERT state that an open XDMCP service can be used as a DDoS attack amplifier by sending XDMCP request packets with a spoofed source IP address.

Checking to see if you are vulnerable

It is a bit tricky to check if an instance is actually vulnerable.  However, your system is potentially vulnerable if your instance is listening for requests on UDP port 177.  You should be able to detect this by running "netstat -a -n | grep 177" or "netstat -a | grep xdmcp" and looking for a line that indicates that there is a service listening for requests.

Mitigation

The best mitigation is to turn off the XDMCP service. Different distributions / versions of Linux implement the display manager differently, so there is no single recipe for turning the service off. Please check the documentation relevant to the version you are using.

If you need to run XDMCP, then you should restrict access to the port to external IPs that can be trusted.  You can do this either by modifying the NeCTAR Security Groups / Rules for the instance, or by implementing some internal firewall rules.

If your instance was booted using an image provided by someone else, you can ask them for advice on how to mitigate the problem.

References

[1] https://tools.cisco.com/security/center/viewAlert.x?alertId=3473

Have more questions? Submit a request

Comments

Powered by Zendesk