Bug 11350 - vino new security issue CVE-2013-5745
: vino new security issue CVE-2013-5745
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/569031/
: MGA2TOO mga3-32-ok mga3-64-ok mga2-32...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-10-01 20:59 CEST by David Walser
Modified: 2013-10-10 00:54 CEST (History)
3 users (show)

See Also:
Source RPM: vino-3.7.3-2.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-10-01 20:59:55 CEST
Ubuntu has issued an advisory on September 30:
http://www.ubuntu.com/usn/usn-1980-1/

Ubuntu has links to upstream commits to fix it in trunk and 3.8:
http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-5745.html

Ubuntu's released updates contain patches for 3.4.x and 3.6.x.

Mageia 2 and Mageia 3 are also affected.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-10-04 18:36:24 CEST
The version in Cauldron is not affected (already fixed upstream there).

Patched packages uploaded for Mageia 2 and Mageia 3.

Advisory:
========================

Updated vino package fixes security vulnerability:

The vino_server_client_data_pending function in vino-server.c in GNOME Vino
3.7.3 and earlier, when encryption is disabled, does not properly clear client
data when an error causes the connection to close during authentication, which
allows remote attackers to cause a denial of service (infinite loop, CPU and
disk consumption) via multiple crafted requests during authentication
(CVE-2013-5745).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5745
http://www.ubuntu.com/usn/usn-1980-1/
========================

Updated packages in core/updates_testing:
========================
vino-3.4.2-1.2.mga2
vino-3.7.3-2.1.mga3

from SRPMS:
vino-3.4.2-1.2.mga2.src.rpm
vino-3.7.3-2.1.mga3.src.rpm
Comment 2 claire robinson 2013-10-07 13:26:50 CEST
Testing mga3 64

Before
------
$ vino-preferences

Configure to accept connections without a password.

$ /usr/libexec/vino-server

(vino-server:29048): EggSMClient-CRITICAL **: egg_sm_client_set_mode: assertion `global_client == NULL || global_client_mode == EGG_SM_CLIENT_MODE_DISABLED' failed
07/10/2013 12:18:55 Autoprobing TCP port in (all) network interface
07/10/2013 12:18:55 Listening IPv6://[::]:5900
07/10/2013 12:18:55 Listening IPv4://0.0.0.0:5900
07/10/2013 12:18:55 Autoprobing selected port 5900
07/10/2013 12:18:55 Advertising security type: 'TLS' (18)
07/10/2013 12:18:55 Re-binding socket to listen for VNC connections on TCP port 5900 in (all) interface
07/10/2013 12:18:55 Listening IPv6://[::]:5900
07/10/2013 12:18:55 Listening IPv4://0.0.0.0:5900
07/10/2013 12:18:55 Clearing securityTypes
07/10/2013 12:18:55 Advertising security type: 'TLS' (18)
07/10/2013 12:18:55 Clearing securityTypes
07/10/2013 12:18:55 Advertising security type: 'TLS' (18)
07/10/2013 12:18:55 Advertising authentication type: 'No Authentication' (1)
07/10/2013 12:18:55 Re-binding socket to listen for VNC connections on TCP port 5900 in (all) interface
07/10/2013 12:18:55 Listening IPv6://[::]:5900
07/10/2013 12:18:55 Listening IPv4://0.0.0.0:5900


Using PoC from here http://seclists.org/fulldisclosure/2013/Sep/105 saved as cve20135745.rb setting the a.b.c.d to 127.0.0.1

$ ruby cve20135745.rb 
Testing RFB 003.003
Waiting for Server Banner...
Got Server Banner: RFB 003.007
Sending Payload: AAAAAAAAAAAAAAAA
Testing RFB 003.003
Waiting for Server Banner...
Got Server Banner: RFB 003.007
Sending Payload: AAAAAAAAAAAAAAAA
etc..

Ran several times and noticed no DoS or growth in ~/.xsession-errors

$ du -h ~/.xsession-errors
84K     .xsession-errors


Noticed on the server tab ..

07/10/2013 12:22:48 Client Protocol Version 3.3
07/10/2013 12:22:48 rfbClientConnFailed("No security type suitable for RFB 3.3 supported")

It seems mga3 might not be vulnerable.
Comment 3 claire robinson 2013-10-07 14:06:23 CEST
Testing the update anyway..

After
-----
A warning about schema id's but no difference.

installing vino-3.7.3-2.1.mga3.x86_64.rpm from /var/cache/urpmi/rpms                                                                        
Preparing...                     ########################
      1/1: vino                  ########################
      1/1: removing vino-3.7.3-2.mga3.x86_64
                                 ########################
warning: undefined reference to <schema id='org.gnome.settings-daemon.plugins.updates'/>


07/10/2013 13:01:50 Client Protocol Version 3.3
07/10/2013 13:01:50 rfbClientConnFailed("No security type suitable for RFB 3.3 supported")

Bug 8908 exists for the schema id warnings from the last update in mga2.

Testing complete mga3 64
Comment 4 claire robinson 2013-10-07 14:13:39 CEST
Testing mga2 32

Different location in mga2 for the server, /usr/lib/vino-server

Similar results, an error but no DoS.


07/10/2013 13:10:19 Client Protocol Version 3.3
07/10/2013 13:10:19 rfbProcessClientInitMessage: write: Broken pipe


Tried also with socat (See bug 8782 for last update)

$ socat - tcp4:localhost:5900

Then pasted..

RFB 003.003
AAAAAAAAAAAAAAAA

It closes the connection and shows this in the server instead

07/10/2013 12:50:14 Client Protocol Version 3.3
07/10/2013 12:50:17 rfbProcessClientNormalMessage: unknown message type 65


Same after update so testing complete mga2 32
Comment 5 claire robinson 2013-10-07 14:22:17 CEST
Testing complete mga3 32
Comment 6 claire robinson 2013-10-07 14:47:37 CEST
Managed to reproduce this by requiring authentication, instead of no authentication. Just set a password in vino-preferences.

$ ruby testcases/vino/cve20135745.rb 
Testing RFB 003.003
Waiting for Server Banner...
Got Server Banner: RFB 003.007
Sending Payload: AAAAAAAAAAAAAAAA
Testing RFB 003.003
Waiting for Server Banner...
Got Server Banner: RFB 003.007
Sending Payload: AAAAAAAAAAAAAAAA
Testing RFB 003.003
Waiting for Server Banner...
Got Server Banner: RFB 003.007
Sending Payload: AAAAAAAAAAAAAAAA
Testing RFB 003.003
Waiting for Server Banner...
Operations are timing out, you may have DoS'd the service
Testing RFB 003.003
Waiting for Server Banner...
Operations are timing out, you may have DoS'd the service

and the server...

07/10/2013 13:32:04 Authentication deferred - ignoring client message
07/10/2013 13:32:04 Authentication deferred - ignoring client message
07/10/2013 13:32:04 Authentication deferred - ignoring client message
07/10/2013 13:32:04 Authentication deferred - ignoring client message
07/10/2013 13:32:04 Authentication deferred - ignoring client message
07/10/2013 13:32:04 Authentication deferred - ignoring client message
07/10/2013 13:32:04 Authentication deferred - ignoring client message^C

killed with ctrl-c
Comment 7 claire robinson 2013-10-07 14:50:47 CEST
Testing complete mga2 64

After update it shows password check failed and authentication deferred, rather than a DoS.

I'll re-check mga3 to reproduce before validating.
Comment 8 claire robinson 2013-10-07 14:55:06 CEST
Mga3 doesn't appear vulnerable, it shows the 'No security type suitable for RFB 3.3 supported' message and closes the connection even with VNC authentication active.

Validating. Advisory 11350.adv uploaded.

Could sysadmin please push from 2&3 Core/updates_testing to updates

Thanks!
Comment 9 Thomas Backlund 2013-10-10 00:54:18 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0300.html

Note You need to log in before you can comment on or make changes to this bug.