Ubuntu has issued an advisory on September 30: http://www.ubuntu.com/usn/usn-1980-1/ Ubuntu has links to upstream commits to fix it in trunk and 3.8: http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-5745.html Ubuntu's released updates contain patches for 3.4.x and 3.6.x. Mageia 2 and Mageia 3 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO, MGA2TOO
The version in Cauldron is not affected (already fixed upstream there). Patched packages uploaded for Mageia 2 and Mageia 3. Advisory: ======================== Updated vino package fixes security vulnerability: The vino_server_client_data_pending function in vino-server.c in GNOME Vino 3.7.3 and earlier, when encryption is disabled, does not properly clear client data when an error causes the connection to close during authentication, which allows remote attackers to cause a denial of service (infinite loop, CPU and disk consumption) via multiple crafted requests during authentication (CVE-2013-5745). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5745 http://www.ubuntu.com/usn/usn-1980-1/ ======================== Updated packages in core/updates_testing: ======================== vino-3.4.2-1.2.mga2 vino-3.7.3-2.1.mga3 from SRPMS: vino-3.4.2-1.2.mga2.src.rpm vino-3.7.3-2.1.mga3.src.rpm
CC: (none) => mageiaVersion: Cauldron => 3Assignee: mageia => qa-bugsWhiteboard: MGA3TOO, MGA2TOO => MGA2TOO
Testing mga3 64 Before ------ $ vino-preferences Configure to accept connections without a password. $ /usr/libexec/vino-server (vino-server:29048): EggSMClient-CRITICAL **: egg_sm_client_set_mode: assertion `global_client == NULL || global_client_mode == EGG_SM_CLIENT_MODE_DISABLED' failed 07/10/2013 12:18:55 Autoprobing TCP port in (all) network interface 07/10/2013 12:18:55 Listening IPv6://[::]:5900 07/10/2013 12:18:55 Listening IPv4://0.0.0.0:5900 07/10/2013 12:18:55 Autoprobing selected port 5900 07/10/2013 12:18:55 Advertising security type: 'TLS' (18) 07/10/2013 12:18:55 Re-binding socket to listen for VNC connections on TCP port 5900 in (all) interface 07/10/2013 12:18:55 Listening IPv6://[::]:5900 07/10/2013 12:18:55 Listening IPv4://0.0.0.0:5900 07/10/2013 12:18:55 Clearing securityTypes 07/10/2013 12:18:55 Advertising security type: 'TLS' (18) 07/10/2013 12:18:55 Clearing securityTypes 07/10/2013 12:18:55 Advertising security type: 'TLS' (18) 07/10/2013 12:18:55 Advertising authentication type: 'No Authentication' (1) 07/10/2013 12:18:55 Re-binding socket to listen for VNC connections on TCP port 5900 in (all) interface 07/10/2013 12:18:55 Listening IPv6://[::]:5900 07/10/2013 12:18:55 Listening IPv4://0.0.0.0:5900 Using PoC from here http://seclists.org/fulldisclosure/2013/Sep/105 saved as cve20135745.rb setting the a.b.c.d to 127.0.0.1 $ ruby cve20135745.rb Testing RFB 003.003 Waiting for Server Banner... Got Server Banner: RFB 003.007 Sending Payload: AAAAAAAAAAAAAAAA Testing RFB 003.003 Waiting for Server Banner... Got Server Banner: RFB 003.007 Sending Payload: AAAAAAAAAAAAAAAA etc.. Ran several times and noticed no DoS or growth in ~/.xsession-errors $ du -h ~/.xsession-errors 84K .xsession-errors Noticed on the server tab .. 07/10/2013 12:22:48 Client Protocol Version 3.3 07/10/2013 12:22:48 rfbClientConnFailed("No security type suitable for RFB 3.3 supported") It seems mga3 might not be vulnerable.
Testing the update anyway.. After ----- A warning about schema id's but no difference. installing vino-3.7.3-2.1.mga3.x86_64.rpm from /var/cache/urpmi/rpms Preparing... ######################## 1/1: vino ######################## 1/1: removing vino-3.7.3-2.mga3.x86_64 ######################## warning: undefined reference to <schema id='org.gnome.settings-daemon.plugins.updates'/> 07/10/2013 13:01:50 Client Protocol Version 3.3 07/10/2013 13:01:50 rfbClientConnFailed("No security type suitable for RFB 3.3 supported") Bug 8908 exists for the schema id warnings from the last update in mga2. Testing complete mga3 64
Whiteboard: MGA2TOO => MGA2TOO mga3-64-ok
Testing mga2 32 Different location in mga2 for the server, /usr/lib/vino-server Similar results, an error but no DoS. 07/10/2013 13:10:19 Client Protocol Version 3.3 07/10/2013 13:10:19 rfbProcessClientInitMessage: write: Broken pipe Tried also with socat (See bug 8782 for last update) $ socat - tcp4:localhost:5900 Then pasted.. RFB 003.003 AAAAAAAAAAAAAAAA It closes the connection and shows this in the server instead 07/10/2013 12:50:14 Client Protocol Version 3.3 07/10/2013 12:50:17 rfbProcessClientNormalMessage: unknown message type 65 Same after update so testing complete mga2 32
Whiteboard: MGA2TOO mga3-64-ok => MGA2TOO mga3-64-ok mga2-32-ok
Testing complete mga3 32
Whiteboard: MGA2TOO mga3-64-ok mga2-32-ok => MGA2TOO mga3-32-ok mga3-64-ok mga2-32-ok
Managed to reproduce this by requiring authentication, instead of no authentication. Just set a password in vino-preferences. $ ruby testcases/vino/cve20135745.rb Testing RFB 003.003 Waiting for Server Banner... Got Server Banner: RFB 003.007 Sending Payload: AAAAAAAAAAAAAAAA Testing RFB 003.003 Waiting for Server Banner... Got Server Banner: RFB 003.007 Sending Payload: AAAAAAAAAAAAAAAA Testing RFB 003.003 Waiting for Server Banner... Got Server Banner: RFB 003.007 Sending Payload: AAAAAAAAAAAAAAAA Testing RFB 003.003 Waiting for Server Banner... Operations are timing out, you may have DoS'd the service Testing RFB 003.003 Waiting for Server Banner... Operations are timing out, you may have DoS'd the service and the server... 07/10/2013 13:32:04 Authentication deferred - ignoring client message 07/10/2013 13:32:04 Authentication deferred - ignoring client message 07/10/2013 13:32:04 Authentication deferred - ignoring client message 07/10/2013 13:32:04 Authentication deferred - ignoring client message 07/10/2013 13:32:04 Authentication deferred - ignoring client message 07/10/2013 13:32:04 Authentication deferred - ignoring client message 07/10/2013 13:32:04 Authentication deferred - ignoring client message^C killed with ctrl-c
Testing complete mga2 64 After update it shows password check failed and authentication deferred, rather than a DoS. I'll re-check mga3 to reproduce before validating.
Whiteboard: MGA2TOO mga3-32-ok mga3-64-ok mga2-32-ok => MGA2TOO mga3-32-ok mga3-64-ok mga2-32-ok mga2-64-ok
Mga3 doesn't appear vulnerable, it shows the 'No security type suitable for RFB 3.3 supported' message and closes the connection even with VNC authentication active. Validating. Advisory 11350.adv uploaded. Could sysadmin please push from 2&3 Core/updates_testing to updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0300.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED