Bug 15481 - novnc new security issue CVE-2013-7436
Summary: novnc new security issue CVE-2013-7436
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/639239/
Whiteboard: has_procedure advisory MGA4-32-OK mga...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-03-12 23:00 CET by David Walser
Modified: 2015-04-06 23:50 CEST (History)
4 users (show)

See Also:
Source RPM: novnc-0.4-11.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-03-12 23:00:38 CET
A CVE has been assigned for an issue fixed in noVNC:
http://openwall.com/lists/oss-security/2015/03/12/13

The message above contains a link to an upstream patch to fix the issue.

I've checked the patch into Mageia 4 and Cauldron SVN and requested a freeze push.

Reproducible: 

Steps to Reproduce:
David Walser 2015-03-12 23:00:54 CET

CC: (none) => mageia
Whiteboard: (none) => MGA5TOO, MGA4TOO

Sander Lepik 2015-03-14 19:36:12 CET

CC: (none) => mageia
Assignee: bugsquad => mageia

Comment 1 David Walser 2015-03-15 18:12:41 CET
Patched packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated novnc package fixes security vulnerability:

noVNC before 0.5.1 allows an attacker to steal insecurely set session token
cookies, hijacking active or inactive VNC sessions (CVE-2013-7436).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7436
https://bugzilla.redhat.com/show_bug.cgi?id=1193451
========================

Updated packages in core/updates_testing:
========================
novnc-0.4-9.1.mga4

from novnc-0.4-9.1.mga4.src.rpm

Version: Cauldron => 4
Assignee: mageia => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 2 David Walser 2015-03-16 03:59:40 CET
Thomas had to rebuild the update due to a missing signature.

Updated packages in core/updates_testing:
========================
novnc-0.4-9.2.mga4

from novnc-0.4-9.2.mga4.src.rpm
Comment 3 David Walser 2015-03-19 13:59:48 CET
This is pretty neat.

First you have to use a VNC server to share your desktop via VNC, I used krfb.

Then you run novnc_server, which will allow you to connect from a remote machine to your desktop via HTTP, or if you give novnc_server an SSL certificate to use, via HTTPS.  You can create a certificate with OpenSSL or just use the Apache one if you have that installed (with the option --cert /etc/pki/tls/certs/httpd.pem).

$ krfb &
$ cd /usr/share/novnc
$ novnc_server --cert /etc/pki/tls/certs/httpd.pem

then it gives you some output, including an HTTP URL you can use from a remote machine to connect to your desktop.  Make sure you've enabled access to port 6080 on your desktop in your firewall settings if you use one (and maybe port 5900 also).

It worked fine for me.  Testing complete Mageia 4 i586.

Whiteboard: (none) => has_procedure MGA4-32-OK

Comment 4 Shlomi Fish 2015-03-28 14:38:27 CET
Hi David,

(In reply to David Walser from comment #3)
> This is pretty neat.
> 
> First you have to use a VNC server to share your desktop via VNC, I used
> krfb.
> 
> Then you run novnc_server, which will allow you to connect from a remote
> machine to your desktop via HTTP, or if you give novnc_server an SSL
> certificate to use, via HTTPS.  You can create a certificate with OpenSSL or
> just use the Apache one if you have that installed (with the option --cert
> /etc/pki/tls/certs/httpd.pem).
> 
> $ krfb &
> $ cd /usr/share/novnc
> $ novnc_server --cert /etc/pki/tls/certs/httpd.pem
> 
> then it gives you some output, including an HTTP URL you can use from a
> remote machine to connect to your desktop.  Make sure you've enabled access
> to port 6080 on your desktop in your firewall settings if you use one (and
> maybe port 5900 also).
> 
> It worked fine for me.  Testing complete Mageia 4 i586.

I got a localhost URL, and was not able to connect to the VM's IP . Eitherwise, using a browser to connect to the VM's HTTP service on port localhost:6080 from itself worked fine on MGA4-64. Is it good enough to be marked as OK?

CC: (none) => shlomif

Comment 5 David Walser 2015-03-28 15:57:03 CET
Please fix the firewall settings as I mentioned before.
Comment 6 claire robinson 2015-04-03 16:31:45 CEST
Thanks for the procedure. It's a useful application.

Testing complete mga4 64

In krfb select "New personal invitation" and note the password so you can enter it in the novnc connection settings.

One thing worth noting. It appears to only enter text in CAPS from the remote machine, but it's not a regression.

Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK mga4-64-ok

Comment 7 claire robinson 2015-04-03 17:02:55 CEST
I'm also not able to connect https, that is not a regression either. 

When attempted, using apache cert, it shows several (9?)..

handler exception: [SSL] PEM lib (_ssl.c:2525)
Comment 8 claire robinson 2015-04-03 17:10:04 CEST
Advisory uploaded.

I'll wait for your feedback before validating David.

Whiteboard: has_procedure MGA4-32-OK mga4-64-ok => has_procedure advisory MGA4-32-OK mga4-64-ok

Comment 9 David Walser 2015-04-03 18:05:40 CEST
Using the apache cert worked for me, but I suppose it could depend on when and exactly how the cert was generated and some properties of it.

If you want to try regenerating your httpd.pem, it would be:
rm /etc/pki/tls/{certs,private}/httpd.pem
/usr/share/rpm-helper/create-ssl-certificate apache 1 httpd

Hopefully that works.
Comment 10 claire robinson 2015-04-03 18:46:38 CEST
No unfortunately. It works well without https though, even dislaying a remote host with the local novnc.

Trying it on a relatively pristine i586 to see if it's a 64bit issue, it seems to be missing a require..

$ novnc_server --cert /etc/pki/tls/private/httpd.pem
Starting webserver and WebSockets proxy on port 6080
Traceback (most recent call last):
  File "/usr/bin/websockify", line 5, in <module>
    from pkg_resources import load_entry_point
ImportError: No module named pkg_resources
Failed to start WebSockets proxy


Possibly should be creating it's own cert (self.pem) too.

$ novnc_server
Warning: could not find self.pem
Starting webserver and WebSockets proxy on port 6080
Traceback (most recent call last):
  File "/usr/bin/websockify", line 5, in <module>
    from pkg_resources import load_entry_point
ImportError: No module named pkg_resources
Failed to start WebSockets proxy
Comment 11 David Walser 2015-04-03 18:54:35 CEST
So does https work if you install python-pkg-resources?

It looks like we need a bug report for websockify should require python-pkg-resources.

As for generating it's own cert, that's really up to the user to do.  The stuff in /usr/share/novnc is technically just an example, you're really supposed to copy it to your own directory somewhere and customize it (if you want) there.
Comment 12 claire robinson 2015-04-03 18:58:39 CEST
It starts with the python package installed but https still shows the handler exception.
Comment 13 David Walser 2015-04-03 19:02:52 CEST
Strange, I just tried generating new certs with create-ssl-certificate, and it still works just fine.  Do you only get the exception on x86_64?
Comment 14 claire robinson 2015-04-03 19:04:25 CEST
No it's both i586 and x86_64.

Bug 15622 created for websockify
Comment 15 David Walser 2015-04-03 19:08:08 CEST
So it's something particular on your system (maybe a missing requires, maybe who knows?), so I guess we can validate this (since I know it works) if we can't find some obvious reason for the problem.

The only other things I would be trying would be running it as strace -f -o novnc.out novnc [..args..] and checking the strace output to see if anything obvious stands out, like trying to open non-existent files or something.
Comment 16 claire robinson 2015-04-03 19:56:44 CEST
I don't see anything obvious. It's not a regression anyway.

Validating.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 17 Mageia Robot 2015-04-04 12:46:33 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0133.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-04-06 23:50:56 CEST

URL: (none) => http://lwn.net/Vulnerabilities/639239/


Note You need to log in before you can comment on or make changes to this bug.