Bug 1963

Summary: vncviewer can send password to server without proper validation of the X.509 certificate
Product: Mageia Reporter: Stew Benedict <stewbintn>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, dmorganec, elegant.pegasus, mageia, marja11, stormi-mageia, sysadmin-bugs, tmb
Version: 1Keywords: Security, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: tigervnc-1.0.90-0.201012034210.6.mga1.src.rpm CVE:
Status comment:

Description Stew Benedict 2011-06-29 13:25:03 CEST 
It was reported [1] that vncviewer could prompt for, and send, authentication
credentials to a remote server without first properly validating the X.509
certificate.  This could allow a malicious server to obtain a client's
credentials because the client does not indicate to the user that a certificate
is bad or missing.

A proposed patch [2] is being discussed.

[1]
http://www.mail-archive.com/tigervnc-devel@lists.sourceforge.net/msg01342.html
[2]
http://www.mail-archive.com/tigervnc-devel@lists.sourceforge.net/msg01347.html

Above copied From RH's bug:

https://bugzilla.redhat.com/show_bug.cgi?id=702470

CVE:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1775

Took a quick look at our build and it does seem to include the X.509 support.

Advisory Text:
It was discovered that vncviewer could prompt for and send authentication
credentials to a remote server without first properly validating the
server's X.509 certificate. As vncviewer did not indicate that the
certificate was bad or missing, a man-in-the-middle attacker could use this
flaw to trick a vncviewer client into connecting to a spoofed VNC server,
allowing the attacker to obtain the client's credentials. This issue is identified at mitre.org by CVE-2011-1775. Updated packages correct this issue.
Comment 1 Stew Benedict 2011-08-29 18:42:34 CEST 
2 months, no triage, no interest, closing

Status: NEW => RESOLVED
Resolution: (none) => OLD

Comment 2 Sander Lepik 2011-08-29 18:48:45 CEST 
Mageia 1 is not EOL yet!

Status: RESOLVED => REOPENED
CC: (none) => sander.lepik
Hardware: i586 => All
Resolution: OLD => (none)
Assignee: bugsquad => dmorganec

Remco Rijnders 2011-08-29 18:53:25 CEST

Keywords: (none) => Security

Comment 3 D Morgan 2011-09-03 23:39:19 CEST 
patching in progress
Comment 4 D Morgan 2011-09-03 23:40:25 CEST 
package in update_testing

Assignee: dmorganec => qa-bugs

Comment 5 D Morgan 2011-09-04 02:27:11 CEST 
i take back this bug, the package doesn't build.

CC: (none) => dmorganec
Assignee: qa-bugs => dmorganec

Comment 6 Samuel Verschelde 2011-10-01 16:14:30 CEST 
ping for this security issue.

CC: (none) => stormi

Comment 7 Manuel Hiebel 2011-11-01 00:13:56 CET 
Ping ?
Comment 8 Manuel Hiebel 2011-11-18 00:05:23 CET 
Ping ?
Comment 9 Manuel Hiebel 2011-12-06 02:03:28 CET 
Ping ?
Comment 10 Marja Van Waes 2011-12-09 15:48:58 CET 
On the mageia-discuss ml another possible issue was mentioned and Florian reacted:

Am 07.12.2011 09:40, schrieb Kira:
> > One of the user from Taiwan reported that he can't
> >
> > get keyboard working with xrdp/tigervnc-server.
> >
> > Mouse works, Some keys like Enter works, but
> >
> > a~z, 1~0 don't.Any help?
> >
Should be looked at, and could be fixed together when fixing
tigervnc build

CC: (none) => marja11

Marja Van Waes 2011-12-09 15:51:03 CET

CC: (none) => elegant.pegasus

Comment 11 D Morgan 2011-12-10 04:33:09 CET 
i just pushed a new version 1.1.0 into cauldron and mageia 1.

I assign the bug to QA, if the package doesn't build ( it builds OK in cauldron ) then please reassign it to me.

Assignee: dmorganec => qa-bugs

Comment 12 claire robinson 2011-12-10 11:36:10 CET 
Has vncviewer been updated? 

All I can see is tigervnc. Isn't this different?
Comment 13 claire robinson 2011-12-10 11:40:56 CET 
tigervnc provides vncviewer, sorry for the noise. I thought it was s separate CLI utility.
Comment 14 Dave Hodgins 2011-12-10 21:27:33 CET 
Testing on i586 complete for the srpm
tigervnc-1.1.0-0.1.mga1.src.rpm

I don't have a POC for testing the exploit, so just confirming
the program works.  For testing, I used ssh to login to an
account that has an x session already running on the local
system, then used

x0vncserver display=:0 -SecurityTypes=None &
vncviewer -compresslevel 9 localhost:0

to take over the x session.

CC: (none) => davidwhodgins

Comment 15 D Morgan 2012-01-01 22:44:44 CET 
someone to test on x86_64 please ?
Comment 16 Manuel Hiebel 2012-01-01 23:49:24 CET 
Testing complete on x86_64 with using the vnc server of virt-manager/kvm


Suggested Advisory:
-------------
It was discovered that vncviewer could prompt for and send authentication
credentials to a remote server without first properly validating the
server's X.509 certificate. As vncviewer did not indicate that the
certificate was bad or missing, a man-in-the-middle attacker could use this
flaw to trick a vncviewer client into connecting to a spoofed VNC server,
allowing the attacker to obtain the client's credentials. This issue is
identified at mitre.org by CVE-2011-1775. Updated packages correct this issue.

https://bugs.mageia.org/show_bug.cgi?id=1963
-------------

SRPM: tigervnc-1.1.0-0.1.mga1.src.rpm

Could sysadmin please push from core/updates_testing to core/updates

Thankyou!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 17 Thomas Backlund 2012-01-04 15:15:31 CET 
Update pushed.

Status: REOPENED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED