Bug 22734 - nx new security issue CVE-2017-2624
Summary: nx new security issue CVE-2017-2624
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-03-11 14:27 CET by David Walser
Modified: 2018-04-13 22:09 CEST (History)
8 users (show)

See Also:
Source RPM: nx-3.5.0.32-1.mga6.src.rpm
CVE: CVE-2017-2624
Status comment:


Attachments

Description David Walser 2018-03-11 14:27:15 CET
Fedora has issued an advisory on March 6:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JSPXW5WCJM4QIBQVMB3FWB7BP2LWAL45/

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-03-11 14:27:23 CET

Whiteboard: (none) => MGA6TOO

David Walser 2018-03-11 16:14:24 CET

Status comment: (none) => Patch available from Fedora

Comment 1 Marja Van Waes 2018-03-12 06:09:30 CET
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => ghibomgx, marja11
Assignee: bugsquad => pkg-bugs

Stig-Ørjan Smelror 2018-03-12 15:15:11 CET

CC: (none) => smelror
Assignee: pkg-bugs => smelror

Comment 2 Stig-Ørjan Smelror 2018-03-12 15:27:39 CET
Advisory
========

The nx package has been updated to fix a security issue.

CVE-2017-2624: Timing attack against MIT Cookie

References
==========
https://security-tracker.debian.org/tracker/CVE-2017-2624

Files
=====

Uploaded to core/updates_testing:

nxagent-3.5.0.33-1.mga6
nxproxy-3.5.0.33-1.mga6
x2goagent-3.5.0.33-1.mga6
lib64nxX11_0-3.5.0.33-1.mga6
lib64xcomp3-3.5.0.33-1.mga6
lib64xcompext3-3.5.0.33-1.mga6

from nxagent-3.5.0.33-1.mga6.src.rpm

Version: Cauldron => 6
CVE: (none) => CVE-2017-2624
Assignee: smelror => qa-bugs
Status comment: Patch available from Fedora => (none)
Whiteboard: MGA6TOO => (none)

Comment 3 Stig-Ørjan Smelror 2018-03-12 15:27:55 CET
Cauldron has also been updated.
Comment 4 Len Lawrence 2018-03-15 18:49:27 CET
Been working all day on this without any progress.  If I cannot get it working in another couple of hours shall pass it over to somebody else.

CC: (none) => tarazed25

Comment 5 Len Lawrence 2018-03-19 20:04:31 CET
Still trying to get this to work.  nomachine is not an option so I am concentrating on x2go.

x2goserver is running on machine difda.
$ systemctl status x2goserver
● x2goserver.service - X2Go session cleanup
   Loaded: loaded (/usr/lib/systemd/system/x2goserver.service; enabled; vendor p
   Active: active (running) since Sat 2018-03-17 09:51:31 GMT; 2 days ago
  Process: 18177 ExecStart=/usr/sbin/x2gocleansessions (code=exited, status=0/SU
 Main PID: 18387 (x2gocleansessio)
   CGroup: /system.slice/x2goserver.service
           └─18387 /usr/bin/perl /usr/sbin/x2gocleansessions

Warning: Journal has been rotated since unit was started. Log output is incomple

x2goclient is running on machine belexeuli.
Tried setting up sessions several times but the login always fails.
But this always works from belexeuli:
$ ssh lcl@difda
and the login works in the other direction also.

One puzzle is the 'path' field in session properties; it is always / and cannot be changed.  What should that be?  My inclination would be to point it to  the home directory but it cannot be set - the entry field is greyed out.

There are no messages in the journal.  Trying to find some kind of session log.
Comment 6 Len Lawrence 2018-03-19 20:21:57 CET
All I could find was this, an extract from /var/log/auth.log around the time the connection was attempted.

Mar 19 18:46:13 difda sshd[31774]: Accepted keyboard-interactive/pam for lcl from 192.168.1.156 port 50878 ssh2
Mar 19 18:46:13 difda systemd-logind[18179]: New session c9 of user lcl.
Mar 19 18:46:13 difda sshd[31774]: pam_unix(sshd:session): session opened for user lcl by (uid=0)
Mar 19 18:46:36 difda sshd[31958]: rexec line 118: Deprecated option UsePrivilegeSeparation
Mar 19 18:46:36 difda sshd[31958]: error: key_load_private: invalid format
Mar 19 18:46:36 difda sshd[31958]: error: key_load_public: invalid format
Mar 19 18:46:36 difda sshd[31958]: error: Could not load host key: /etc/ssh/ssh_host_key
Mar 19 18:46:54 difda sshd[31777]: Received disconnect from 192.168.1.156 port 50878:11: Bye Bye
Mar 19 18:46:54 difda sshd[31777]: Disconnected from user lcl 192.168.1.156 port 50878
Mar 19 18:46:54 difda systemd-logind[18179]: Removed session c9.
Mar 19 18:46:54 difda sshd[31774]: pam_unix(sshd:session): session closed for user lcl

It is referring to /etc/ssh/ private and public keys, which seem to be encrypted.
Comment 7 Len Lawrence 2018-03-19 20:36:25 CET
Attempted to open a client session on belexeuli and noted the precise time.
On difda the tail of auth.log shows:

Mar 19 19:24:32 difda sshd[12744]: rexec line 118: Deprecated option UsePrivilegeSeparation
Mar 19 19:24:32 difda sshd[12744]: error: key_load_private: invalid format
Mar 19 19:24:32 difda sshd[12744]: error: key_load_public: invalid format
Mar 19 19:24:32 difda sshd[12744]: error: Could not load host key: /etc/ssh/ssh_host_key
Mar 19 19:24:32 difda sshd[12744]: Accepted keyboard-interactive/pam for lcl from 192.168.1.156 port 51206 ssh2
Mar 19 19:24:32 difda systemd-logind[18179]: New session c12 of user lcl.
Mar 19 19:24:32 difda sshd[12744]: pam_unix(sshd:session): session opened for user lcl by (uid=0)

On belexeuli the connection failed immediately.

On difda:
$ ps aux | grep 12744
root     12744  0.0  0.0  82808  6440 ?        Ss   19:24   0:00 sshd: lcl [priv]

So does this mean that the problem is at the client end?
Comment 8 Len Lawrence 2018-03-19 20:47:33 CET
No auth.log on the client end.
The journal contains this section at the time of the connection attempt:
Mar 19 19:24:11 belexeuli pkexec[21152]: pam_systemd(polkit-1:session): Cannot create session: Already running in a session
Mar 19 19:24:11 belexeuli pkexec[21152]: pam_unix(polkit-1:session): session opened for user root by (uid=1000)
Mar 19 19:24:12 belexeuli pkexec[21166]: pam_systemd(polkit-1:session): Cannot create session: Already running in a session
Mar 19 19:24:12 belexeuli pkexec[21166]: pam_unix(polkit-1:session): session opened for user root by (uid=1000)
Mar 19 19:24:12 belexeuli pkexec[21173]: pam_systemd(polkit-1:session): Cannot create session: Already running in a session
Mar 19 19:24:12 belexeuli pkexec[21173]: pam_unix(polkit-1:session): session opened for user root by (uid=1000)
Mar 19 19:24:12 belexeuli pkexec[21180]: pam_systemd(polkit-1:session): Cannot create session: Already running in a session
Mar 19 19:24:12 belexeuli pkexec[21180]: pam_unix(polkit-1:session): session opened for user root by (uid=1000)
Comment 9 Herman Viaene 2018-03-23 10:59:35 CET
MGA6-32 on Dell Latitude D600 Mate
Installing packages from Comment 2 is OK, but that's not a complete environment to test.
Found https://wiki.x2go.org/doku.php/wiki:repositories:start and trying to make sense of it. Will report later on any progress.

CC: (none) => herman.viaene

Comment 10 Herman Viaene 2018-03-23 11:35:41 CET
It seems you need to install x2goserver and x2goclient. And have sshd running on the server side.
I've been able to run x2goclient, define a connection to the server (on the same laptop) and connect.
That works up to a certain level where i get an error saying that the server side cannot find a sqlite-perl item. Investigating further, but that won't be today anymore.
Comment 11 Len Lawrence 2018-03-23 17:21:12 CET
Tried the same experiment as Herman on x86_64.  The connection failed immediately with exactly the same error as before: "Cannot connect to X server".  So this does not seem to be a networking problem at all - it looks more like a privilege or permissions problem.  The user is a member of the x2gouser group.  And, even though the server is running on the same machine there is no /var/log/auth.log.

$ x2goclient --debug

Tried the localhost connection and failed to connect as usual.

Debug messages:

$ x2go-INFO-1> "Starting X2Go Client..."
x2go-WARNING-1> "English language requested, not loading translator."
x2go-WARNING-1> "English language requested, not loading translator."
x2go-INFO-3> "Started X2Go Client."
x2go-DEBUG-../src/onmainwindow.cpp:517> "$HOME=/home/lcl"
x2go-DEBUG-../src/onmainwindow.cpp:2206> Reading 2 sessions from config file.
x2go-DEBUG-../src/sessionbutton.cpp:325> Creating QPixmap with session icon: "//home/lcl/icons/apple-red.png".
x2go-DEBUG-../src/sessionbutton.cpp:325> Creating QPixmap with session icon: "//home/lcl/icons/apple-green.png".
x2go-DEBUG-../src/onmainwindow.cpp:2686> Creating QPixmap with session icon: '"//home/lcl/icons/apple-green.png"'.
x2go-INFO-8> "Starting connection to server: belexeuli:22"
x2go-DEBUG-../src/onmainwindow.cpp:2787> Starting new ssh connection to server:"belexeuli":"22" krbLogin: false
x2go-DEBUG-../src/sshmasterconnection.cpp:174> SshMasterConnection, host "belexeuli"port 22user "lcl"useproxy falseproxyserver ""proxyport 22
x2go-DEBUG-../src/sshmasterconnection.cpp:211> Starting SSH connection without Kerberos authentication.
x2go-DEBUG-../src/sshmasterconnection.cpp:215> SshMasterConnection, instance SshMasterConnection(0xfac520)  created. 
x2go-DEBUG-../src/sshmasterconnection.cpp:451> SshMasterConnection, instance SshMasterConnection(0xfac520)  entering thread. 
x2go-DEBUG-../src/sshmasterconnection.cpp:487> libssh not initialized yet. Initializing.
x2go-DEBUG-../src/sshmasterconnection.cpp:798> cserverAuth
x2go-DEBUG-../src/sshmasterconnection.cpp:813> state: 1

x2go-DEBUG-../src/sshmasterconnection.cpp:988> Challenge authentication requested.

x2go-DEBUG-../src/sshmasterconnection.cpp:866> Have prompts: 1

x2go-DEBUG-../src/sshmasterconnection.cpp:872> Prompt[0]: |Password: |

x2go-DEBUG-../src/sshmasterconnection.cpp:878> Password request

x2go-DEBUG-../src/sshmasterconnection.cpp:866> Have prompts: 0

x2go-DEBUG-../src/sshmasterconnection.cpp:949> Challenge authentication OK.

x2go-DEBUG-../src/sshmasterconnection.cpp:663> User authentication OK.
x2go-DEBUG-../src/onmainwindow.cpp:2884> SSH connection established.
x2go-DEBUG-../src/onmainwindow.cpp:3193> Continue normal X2Go session
x2go-DEBUG-../src/sshprocess.cpp:199> Executing remote command via SshProcess object 0: "export HOSTNAME && x2golistsessions"
x2go-DEBUG-../src/sshprocess.cpp:204> this=SshProcess(0xfb2ec0)  Running masterCon->addChannelConnection(this, ' "67db5b9f-6bb2-4870-93e3-2fb5d290bcc2" ', ' "bash -l -c 'echo "X2GODATABEGIN:67db5b9f-6bb2-4870-93e3-2fb5d290bcc2"; export PATH="/usr/local/bin:/usr/bin:/bin"; export TERM="dumb"; export HOSTNAME && x2golistsessions; echo "X2GODATAEND:67db5b9f-6" '); 
x2go-DEBUG-../src/sshmasterconnection.cpp:1324> Locking SSH channel connection MUTEX.
x2go-DEBUG-../src/sshmasterconnection.cpp:1326> Passing new channel conenction object to channelConnections.
x2go-DEBUG-../src/sshmasterconnection.cpp:1328> Unlocking SSH channel connection MUTEX.
x2go-DEBUG-../src/sshmasterconnection.cpp:1516> Creating new channel.

x2go-DEBUG-../src/sshmasterconnection.cpp:1520> New channel:0x7fee5800e300

x2go-DEBUG-../src/sshmasterconnection.cpp:1551> Executing remote: "bash -l -c 'echo "X2GODATABEGIN:67db5b9f-6bb2-4870-93e3-2fb5d290bcc2"; export PATH="/usr/local/bin:/usr/bin:/bin"; export TERM="dumb"; export HOSTNAME && x2golistsessions; echo "X2GODATAEND:67db5b9f-6bb2-4870-93e3-2fb5d290bcc2";'"

x2go-DEBUG-../src/sshmasterconnection.cpp:1574> New exec channel created.

x2go-DEBUG-../src/sshmasterconnection.cpp:1623> EOF on channel 0x7fee5800e300; SshProcess object: 0
x2go-DEBUG-../src/sshmasterconnection.cpp:1746> EOF sent.
x2go-DEBUG-../src/sshmasterconnection.cpp:1750> Channel closed.
x2go-DEBUG-../src/sshprocess.cpp:517> SSH finished: raw output (stdout): "X2GODATABEGIN:67db5b9f-6bb2-4870-93e3-2fb5d290bcc2
X2GODATAEND:67db5b9f-6bb2-4870-93e3-2fb5d290bcc2
"
x2go-DEBUG-../src/sshprocess.cpp:523> Have stderr only, something must be wrong.
x2go-DEBUG-../src/sshprocess.cpp:528> SSH finished: false - "Unable to connect to X server
" (0).
x2go-DEBUG-../src/onmainwindow.cpp:3582> "Unable to connect to X server
"


"something must be wrong" it says.  "Have stderr only" probably refers to the debug stream in the terminal.  Completely opaque.

So how did you do it Herman?
Comment 12 Len Lawrence 2018-03-23 17:38:45 CET
I did try defining a new session with the SSH RSA key field filled in but did not really know what to put there.  Copy/pasted a line from the known_hosts file and tried again.  SSH asked if the key was to be trusted - said yes and the whole thing crashed.
Comment 13 Len Lawrence 2018-03-23 18:08:48 CET
Deleted that session and defined another using the RSA key or fingerprint, not sure what it is.  It starts with the AAAA string.
Tried to login and the gui vanished.  No enquiry about trust.  After that simply selecting the session causes the gui to crash immediately - no login dialogue.
The debug trace ends with:
x2go-DEBUG-../src/sshmasterconnection.cpp:798> cserverAuth
x2go-DEBUG-../src/sshmasterconnection.cpp:813> state: 1

x2go-DEBUG-../src/sshmasterconnection.cpp:1077> Trying to authenticate user with private key.

*** Error in `x2goclient': free(): invalid pointer: 0x00007f259aa4a190 ***
Aborted (core dumped)
Comment 14 Len Lawrence 2018-03-23 18:13:10 CET
The same thing happens when I try to connect across the LAN as well after adding the RSA key - an immediate  Abort and no login dialogue.
Comment 15 Len Lawrence 2018-03-23 18:28:57 CET
I finally figured out that the program is looking for a file, not the actual key value so pointed it at known_hosts.  On entering the user password I was prompted for a passphrase.  That did not make sense because there is no passphrase associated with my normal remote logins.  All I use is my login password.  So I have no idea what is going on.  I had deleted my authorized keys and authorized hosts files because I was always forgetting the passphrases.  There must be some relics in the known_hosts file so I shall have to delete all my known_hosts files and recreate them - six machines and ten vboxes.
Comment 16 Len Lawrence 2018-03-23 20:15:19 CET
This has got me beat.  Removed known_hosts and regenerated keypairs for difda and belexeuli - this time without passphrases.  Rebuilt known_hosts by logging in remotely both ways.  Tried x2go again on belexeuli, client end and told it to look in known_hosts.  As soon as the session is invoked a prompt comes up for a passphrase and since there is none I click or hit return.  x2go tried three times then reverted to normal login but simply went through the triple passphrase business again and again.

This just does not make sense.
Comment 17 Len Lawrence 2018-03-23 20:22:19 CET
And now a new thing.  It is possible to login remotely from a terminal but there is always this message now:
sign_and_send_pubkey: signing failed: agent refused operation
Password:
Comment 18 Len Lawrence 2018-03-23 22:57:13 CET
Re comment 17.  Ahem, working now after sshd restart.
No progress with nx / x2go though.
Comment 19 Herman Viaene 2018-03-24 10:37:04 CET
@ Len
You should have a working ssh environment before you try x2go, this is nowhere mentioned.
I got the first time I defined a session and tried to connect, a question "Do you want to accept this key?" of course!
The problem i'm researching now is that apparently on the server side it expects to store/retrieve some info in a Sqlite table, but that isn't there. This seems to be new, I failed up to now to find guidance for that, but I am not ready to give up.
Comment 20 Len Lawrence 2018-03-24 11:31:35 CET
@Herman
Yes I always have ssh up and running with .ssh/known_hosts configured and now have added authorized_hosts.  All that stuff works without any problem.

I tried a completely new nx update on a Plasma partition just now but even starting from scratch have not been able to connect to a localhost session - connection refused every time.

The setup procedure was:
Install nx update packages
Install x2goserver and x2goclient
Add user to the x2gouser group
Start x2goserver and check status
Run x2goclient from the system menus
Configure a session in x2goclient
  server = localhost
  login = lcl
  SSH port = 22
  Use RSA key = /home/lcl/.ssh/known_hosts
  session type = KDE

Nothing else checked/ticked
Comment 21 Brian Rockwell 2018-03-24 16:58:16 CET
Me 2 I tried through two machines with no luck.  It claims it is running on the server, but I can't get anything to talk to it.

yes SSH is working, I can connect through ssh with a password. 
yes I set up a pubic/private rsa key

yes I tried remmina NX connections
yes I tried the No-Machines client

Even tried dropping firewall.

The only thing next to try is setting up the actual nomachines software and see if I can make that work on a server then client into it.

I suspect somewhere there is a config file needing a tweak.

CC: (none) => brtians1

Comment 22 Giuseppe Ghibò 2018-03-24 17:03:26 CET
Haven't tried recently because my cauldron doesn't start anymore after a massive upgrade of packages, but in mga6 the x2goserver must have a FQDN, so for instance "localhost.localdomain" as hostname works, but just "localhost" won't.

Apart that problem, in some configurations the authentication prompts first for the desktop password, then just followed by the passphrase of the ssh key (an authentication without the ssh key won't work).

Other side effects of common interests: on HiDPI screens, e.g. 4k, connecting to a standard remote desktop (e.g. 1024x768) would result in a almost unreadable screen because the characters are too tiny and, to my knowledge there is no magnification function. This because the x2goclient is built against QT4 libraries, and QT5 support is still uncomplete, at least last time I checked (there is also a report here  https://bugs.x2go.org/cgi-bin/bugreport.cgi?bug=864, seem shortage of manpower).

Another side effect I haven't figure out where it comes from (whether from sound card or elsewhere), is that you get something like "coil whining" during the ethernet connection to remote desktops. Pretty weird.
Comment 23 Len Lawrence 2018-03-24 18:33:16 CET
Tried the degenerate case with localhost.localdomain but at login still get
"cannot connect to localhost.localdomain:22" and "connection refused".
That was with .ssh/known_hosts specified.  However, that file does not contain any reference to localhost.localdomain.

Shall experiment with that.
Comment 24 Len Lawrence 2018-03-24 18:55:13 CET
Modified known_hosts by copying the workstation's key to a new entry entitled localhost.localdomain,127.0.0.1 and added localhost.localdomain as an alias for localhost in /etc/hosts.

Restarted sshd.

This time the there was a dialogue about the host key having been changed - possible man-in-the-middle attack... and there was an offer to replace the key, which I accepted.  Failure on login attempt.

Edited known_hosts to remove the old entry and tried again.
This time it looked as if the key had been accepted but it asked for a passphrase for decryption - which did not exist and eventually defaulted to the normal login, which failed.  So, it looks like x2go will not accept unprotected keys.

I am abandoning this update.
Comment 25 Len Lawrence 2018-03-24 19:20:29 CET
One more go:

Generated a new key-pair with a passphrase and specified id_rsa to x2go.
Tried autologin as well and went straight to the input passphrase.  It was not accepted, so even if the key is protected x2go will not deal.
Could this be a bug?
Comment 26 Brian Rockwell 2018-03-24 22:34:05 CET
I've tried a variety of ways.  I established to nomachine entities and was able to connect.

I stepped back and then took the server back to nxagent and tried to set up the keys per instructions in https://www.nomachine.com/AR02L00785


No which way, these two machines don't want to talk using nxagent and SSH.  yes I'm using nomachine SSH mode and private keys set up.


stumped.
Comment 27 Len Lawrence 2018-03-25 09:53:12 CEST
Using Brian's suggestion of remmina tried remote and local connections but got no further than a terminal connection.  In both cases "Unable to connect to X server".
Comment 28 Herman Viaene 2018-03-25 11:13:59 CEST
Part of the difference between my setup and Len and Brian is that I try to test this in one machine (but using its FQDN resolved by my DNS server in my network).
Due to the message I got I presumed I needed to still install the x2goserver-sqlite package, but to na avail.
The error I get is ¨Verbinding mislukt. DBD::SQLite::db prepare failed: no such table: sessions at /usr/lib/x2go/x2gosqlitewrapper.pl line 476. Can't call method "execute" on an undefined value at /usr/lib/x2go/x2gosqlitewrapper.pl line 484. ¨ (connection failed)
I´ve up to now found anything that refers to the usage of sqlite in x2go,but apparently it does.
Comment 29 Herman Viaene 2018-03-25 11:36:19 CEST
YESSSSS!!!!!
Googling with this error learned me that I still needed to run as root:
# x2godbadmin --createdb
# systemctl restart x2goserver
Then as normal user (apart from some warning about nl_BE not found0 I could run x2goclient, connect to my session and I got a working desktop in an x2go window.
Well working in a sense that after waiting long enough I could open the MATE menus, I didn´t dare to go any further, this laptop was already severely 
overloaded.
If no one objects up the ladder, I OK this for 32-bit.

Whiteboard: (none) => MGA6-32-OK

Comment 30 Lewis Smith 2018-03-26 15:17:29 CEST
@Herman: congratulations on a long & hard win.

I am willing to have a go if possible. I have a stand-alone machine, an SSH setup for SVN:
 $ tree -a .ssh
.ssh
├── config
├── known_hosts
├── local
├── local.pub
├── mageia
└── mageia.pub
 and these programs to go with it:
lib64ssh4-0.7.5-1.mga6
lib64ssh2_1-1.7.0-2.mga6
openssh-clients-7.5p1-2.1.mga6
openssh-7.5p1-2.1.mga6
openssh-server-7.5p1-2.1.mga6
openssh-askpass-common-7.5p1-2.1.mga6
libssh2_1-1.7.0-2.mga6
php-ssh2-0.12-10.1.mga6
openssh-askpass-qt5-2.0.3-1.mga6

The problem of a FQDN always stumps me. Would you care to summarise what you found necessary to do to make this fly? (Trying to get the essential from the comments is difficult). Perhaps not possible on a single machine.

CC: (none) => lewyssmith
Keywords: (none) => advisory

Lewis Smith 2018-04-03 12:05:35 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 31 Herman Viaene 2018-04-03 12:18:36 CEST
@ Lewis
Well, I did not do anything particular for this update in the way, that I always have an internal DNS server (my desktop machine) running. All instances of MGA (and Win as well) on the laptops point as first DNS server to this desktop machine and have a full FDQN that is resolved by this DNS server.
So, up to now that setup seems to have saved me from all hostname issues.
Comment 32 Mageia Robot 2018-04-13 22:09:47 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0200.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.