CVE-2021-31535
published 2021-05-27CVE-2021-31535: LookupCol.c in X.Org X through X11R7.7 and libX11 before 1.7.1 might allow remote attackers to execute arbitrary code. The libX11 XLookupColor request…
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
10.63%
95.2th percentile
LookupCol.c in X.Org X through X11R7.7 and libX11 before 1.7.1 might allow remote attackers to execute arbitrary code. The libX11 XLookupColor request (intended for server-side color lookup) contains a flaw allowing a client to send color-name requests with a name longer than the maximum size allowed by the protocol (and also longer than the maximum packet size for normal-sized packets). The user-controlled data exceeding the maximum size is then interpreted by the server as additional X protocol requests and executed, e.g., to disable X server authorization completely. For example, if the victim encounters malicious terminal control sequences for color codes, then the attacker may be able to take full control of the running graphical session.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libx11 | < libx11 2:1.7.1-1 (bookworm) | libx11 2:1.7.1-1 (bookworm) |
| fedoraproject | fedora | — | — |
| x.org | libx11 | < 1.7.1 | 1.7.1 |
| x.org | libx11 | >= 0 < 2:1.7.1-1 | 2:1.7.1-1 |
| x.org | libx11 | >= 0 < 2:1.7.1-1 | 2:1.7.1-1 |
| x.org | libx11 | >= 0 < 2:1.7.1-1 | 2:1.7.1-1 |
| x.org | libx11 | >= 0 < 2:1.7.1-1 | 2:1.7.1-1 |
| x.org | x_window_system | <= x11r7.7 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The attack vector involves sending an XLookupColor request with a color-name longer than the maximum protocol size; the oversized user-controlled data is interpreted by the X server as additional X protocol requests and executed. ↗
- →Delivery mechanism can be malicious terminal control sequences for color codes (e.g. via xterm), enabling injection of X11 protocol commands through terminal output. ↗
- →One known payload effect is complete disabling of X server authorization; monitor for unexpected changes to X server authorization state (e.g. 'xhost +' equivalent commands injected via protocol). ↗
- →The vulnerable code path is in LookupCol.c; the flaw allows injection of X11 protocol commands including potential bypass of authentication via injection of control characters. ↗
- ·Red Hat Enterprise Linux 8 and 9 do not run the Xorg server with root privileges, reducing the impact of exploitation on those platforms. ↗
- ·The vulnerability is fixed in libX11 1.7.1 and later; systems running libX11 >= 1.7.1 are not affected. ↗
- ·Attack surface is elevated when xterm or similar terminals are used to display less-trusted data (e.g. from SSH sessions to untrusted hosts), as terminal color-code sequences are the primary delivery vector. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
libx11 vulnerability
vendor_ubuntu·2021-05-25
CVE-2021-31535 libx11 vulnerability
Title: libx11 vulnerability
Summary: libx11 could allow unintended access to services.
USN-4966-1 fixed a vulnerability in libx11. This update provides
the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.
Original advisory details:
It was discovered that libx11 incorrectly validated certain parameter
lengths. A remote attacker could possibly use this issue to trick libx11
into emitting extra X protocol requests.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
Ubuntu
libx11 vulnerability
vendor_ubuntu·2021-05-25
CVE-2021-31535 libx11 vulnerability
Title: libx11 vulnerability
Summary: libx11 could allow unintended access to services.
It was discovered that libx11 incorrectly validated certain parameter
lengths. A remote attacker could possibly use this issue to trick libx11
into emitting extra X protocol requests.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
Red Hat
libX11: missing request length checks
vendor_redhat·2021-05-18·CVSS 9.8
CVE-2021-31535 [CRITICAL] CWE-20 libX11: missing request length checks
libX11: missing request length checks
LookupCol.c in X.Org X through X11R7.7 and libX11 before 1.7.1 might allow remote attackers to execute arbitrary code. The libX11 XLookupColor request (intended for server-side color lookup) contains a flaw allowing a client to send color-name requests with a name longer than the maximum size allowed by the protocol (and also longer than the maximum packet size for normal-sized packets). The user-controlled data exceeding the maximum size is then interpreted by the server as additional X protocol requests and executed, e.g., to disable X server authorization completely. For example, if the victim encounters malicious terminal control sequences for color codes, then the attacker may be able to take full control of the running graphical session.
A miss
Debian
CVE-2021-31535: libx11 - LookupCol.c in X.Org X through X11R7.7 and libX11 before 1.7.1 might allow remot...
vendor_debian·2021·CVSS 9.8
CVE-2021-31535 [CRITICAL] CVE-2021-31535: libx11 - LookupCol.c in X.Org X through X11R7.7 and libX11 before 1.7.1 might allow remot...
LookupCol.c in X.Org X through X11R7.7 and libX11 before 1.7.1 might allow remote attackers to execute arbitrary code. The libX11 XLookupColor request (intended for server-side color lookup) contains a flaw allowing a client to send color-name requests with a name longer than the maximum size allowed by the protocol (and also longer than the maximum packet size for normal-sized packets). The user-controlled data exceeding the maximum size is then interpreted by the server as additional X protocol requests and executed, e.g., to disable X server authorization completely. For example, if the victim encounters malicious terminal control sequences for color codes, then the attacker may be able to take full control of the running graphical session.
Scope: local
bookworm: resolved (fixed in 2:1.
GHSA
GHSA-3vp2-rf63-rc8p: LookupCol
ghsa_unreviewed·2022-05-24
CVE-2021-31535 [CRITICAL] CWE-120 GHSA-3vp2-rf63-rc8p: LookupCol
LookupCol.c in X.Org X through X11R7.7 and libX11 before 1.7.1 might allow remote attackers to execute arbitrary code. The libX11 XLookupColor request (intended for server-side color lookup) contains a flaw allowing a client to send color-name requests with a name longer than the maximum size allowed by the protocol (and also longer than the maximum packet size for normal-sized packets). The user-controlled data exceeding the maximum size is then interpreted by the server as additional X protocol requests and executed, e.g., to disable X server authorization completely. For example, if the victim encounters malicious terminal control sequences for color codes, then the attacker may be able to take full control of the running graphical session.
OSV
CVE-2021-31535: LookupCol
osv·2021-05-27·CVSS 9.8
CVE-2021-31535 [CRITICAL] CVE-2021-31535: LookupCol
LookupCol.c in X.Org X through X11R7.7 and libX11 before 1.7.1 might allow remote attackers to execute arbitrary code. The libX11 XLookupColor request (intended for server-side color lookup) contains a flaw allowing a client to send color-name requests with a name longer than the maximum size allowed by the protocol (and also longer than the maximum packet size for normal-sized packets). The user-controlled data exceeding the maximum size is then interpreted by the server as additional X protocol requests and executed, e.g., to disable X server authorization completely. For example, if the victim encounters malicious terminal control sequences for color codes, then the attacker may be able to take full control of the running graphical session.
No detection rules found.
No public exploits indexed.
http://packetstormsecurity.com/files/162737/libX11-Insufficient-Length-Check-Injection.htmlhttp://seclists.org/fulldisclosure/2021/May/52http://www.openwall.com/lists/oss-security/2021/05/18/2https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/8d2e02ae650f00c4a53deb625211a0527126c605https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3Ehttps://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3Ehttps://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3Ehttps://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cusers.kafka.apache.org%3Ehttps://lists.debian.org/debian-lts-announce/2021/05/msg00021.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEOT4RLB76RVPJQKGGTIKTBIOLHX2NR6/https://lists.freedesktop.org/archives/xorg/https://lists.x.org/archives/xorg-announce/2021-May/003088.htmlhttps://security.gentoo.org/glsa/202105-16https://security.netapp.com/advisory/ntap-20210813-0001/https://unparalleled.eu/blog/2021/20210518-using-xterm-to-navigate-the-huge-color-space/https://unparalleled.eu/publications/2021/advisory-unpar-2021-1.txthttps://www.debian.org/security/2021/dsa-4920https://www.openwall.com/lists/oss-security/2021/05/18/2https://www.openwall.com/lists/oss-security/2021/05/18/3http://packetstormsecurity.com/files/162737/libX11-Insufficient-Length-Check-Injection.htmlhttp://seclists.org/fulldisclosure/2021/May/52http://www.openwall.com/lists/oss-security/2021/05/18/2https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/8d2e02ae650f00c4a53deb625211a0527126c605https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3Ehttps://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3Ehttps://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3Ehttps://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cusers.kafka.apache.org%3Ehttps://lists.debian.org/debian-lts-announce/2021/05/msg00021.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEOT4RLB76RVPJQKGGTIKTBIOLHX2NR6/https://lists.freedesktop.org/archives/xorg/https://lists.x.org/archives/xorg-announce/2021-May/003088.htmlhttps://security.gentoo.org/glsa/202105-16https://security.netapp.com/advisory/ntap-20210813-0001/https://unparalleled.eu/blog/2021/20210518-using-xterm-to-navigate-the-huge-color-space/https://unparalleled.eu/publications/2021/advisory-unpar-2021-1.txthttps://www.debian.org/security/2021/dsa-4920https://www.openwall.com/lists/oss-security/2021/05/18/2https://www.openwall.com/lists/oss-security/2021/05/18/3
2021-05-27
Published