Bug 2282003 (CVE-2024-5148)

Summary: CVE-2024-5148 gnome-remote-desktop: inadequate validation of session agents using D-Bus methods may expose RDP TLS certificate
Product: [Other] Security Response Reporter: Robb Gatica <rgatica>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: gnome-remote-desktop 46.2 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the gnome-remote-desktop package. The gnome-remote-desktop system daemon performs inadequate validation of session agents using D-Bus methods related to transitioning a client connection from the login screen to the user session. As a result, the system RDP TLS certificate and key can be exposed to unauthorized users. This flaw allows a malicious user on the system to take control of the RDP client connection during the login screen-to-user session transition.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2282226    
Bug Blocks: 2282007    

Description Robb Gatica 2024-05-20 19:02:22 UTC
Description:
gnome-remote-desktop system daemon does inadequate validation of session agents using D-Bus methods related to transitioning a client
connection from the login screen to the user session. As a result, the system RDP TLS certificate and key can be exposed to unauthorized
users. Furthermore, it may be possible for a malicious user on the system to take control of the RDP client connection during the login screen to user session transition. 

Affected version: 
46.alpha through 46.1

Fixed version: 
46.2 (forthcoming) 

Reference:
https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/issues/196

Comment 4 Robb Gatica 2024-05-21 16:24:46 UTC
Created gnome-remote-desktop tracking bugs for this issue:

Affects: fedora-all [bug 2282226]