Bug 678846 (CVE-2011-1165)

Summary: CVE-2011-1165 vino-preferences does not warn about UPnP especially with no password and no confirmation.
Product: [Other] Security Response Reporter: Robert Townley <rob.townley>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: collura, rob.townley, sandmann, vdanen
Target Milestone: ---Keywords: Security, Upstream
Target Release: ---   
Hardware: i686   
OS: Linux   
URL: http://www.bani.com.br/lang/en/2009/01/new-vino-dialognova-tela-do-vino/
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-22 05:18:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 553477, 888637, 888638    
Bug Blocks: 857251    
Attachments:
Description Flags
Screenshot of what UPnP means. none

Description Robert Townley 2011-02-20 10:40:13 UTC 
Created attachment 479752 [details]
Screenshot of what UPnP means.

Description of problem:
System --->  Preferences --->  Remote Desktop
does not sufficiently warn that UPnP is being used to open ports on your router.  When end user is testing, he very  well may disables confirmation and password.  Because there is no very explicit UPnP warning, he just unwittingly enabled anybody on the internet to connect to his desktop.

Version-Release number of selected component (if applicable):
vino 2.32.0-1.fc14 

How reproducible:
parts always, UPnP success at opening router port varies.  Sometimes, it successfully opens a port, other times it does not. 

Steps to Reproduce:
1.System --> Preferences --> Remote Desktop
2.uncheck confirmation, uncheck password
3.check "Configure network to automatically accept connections."  
  
Actual results:
Changed router configuration without telling user.  Expose machine to internet usage with no password and no confirmation.

Expected results:
Text should be more explicit that this uses UPnP.  The pop up message mentions UPnP, but it at least should be a red warning.  Especially when no confirmation and no password is required.  


Additional info:
All machines tested have multiple NICs.  selinux enabled.  iptables turned off.  It may take several attempts to open up ports on router using UPnP.  Not sure what happens upon reboot of workstation and router -- UPnP may work to open ports that were not open before.
Comment 1 Robert Townley 2011-02-20 10:51:20 UTC 
Discussion of Ubuntu user that was "hacked" when really the user interface was not explicit enough.  
http://www.dslreports.com/forum/r25446313-Ubuntu-computer-hijacked-by-hacker~start=40

VNC does not have encryption.

I am glad to see that xrdp and is used in RHEL 6 because encryption can be built-in.
Comment 2 Vincent Danen 2011-03-23 16:35:49 UTC 
Upstream does not plan on correcting strings or documentation until GNOME 3.0 is completed.  The root of this problem is not how vino operates, but the feedback that vino provides when certain options are selected.

Statement:

This issue did not affect the version of vino as shipped with Red Hat Enterprise Linux 4 or 5 as they did not include support for Universal Plug and Play (UPnP).  A future update in Red Hat Enterprise Linux 6 may address this flaw.  To mitigate this issue, users should ensure that confirmation is requested on each inbound connection attempt, that a password is required to connect, and that automatic network configuration is disabled.  This will prevent vino from using UPnP to allow access to the VNC port, and will ensure that any connections require a password and that the user is notified on any connection attempts.
Comment 5 errata-xmlrpc 2013-01-21 22:37:14 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0169 https://rhn.redhat.com/errata/RHSA-2013-0169.html