Bug 730081 (CVE-2011-2916)

Summary: CVE-2011-2916 freenx-client: qtnx stores configuration, including non-default authentication key, with insecure permissions
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: axel.thimm, gwync
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-22 16:08:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 730085    
Bug Blocks:    

Description Vincent Danen 2011-08-11 17:44:05 UTC 
It was reported [1] that the qtnx client would store non-custom SSH keys in a world-readable configuration file.  If a user did not have a properly secured home directory (if it was world-readable or world-executable), this could allow other users on the local system to obtain the private key used to connect to remote NX sessions.

For example:

% ls -al .qtnx
total 12
drwxrwxr-x.  2 user user 4096 Aug 11 11:36 .
drwxr-x---. 27 user user 4096 Aug 11 11:37 ..
-rw-rw-r--.  1 user user 1209 Aug 11 11:40 cerb.nxml
% grep Auth .qtnx/cerb.nxml 
<option key="Authentication Key" value="sekritz"></option>

qtnx should probably set the permissions of the *.nxml files to 0600, or the ~/.qtnx/ directory should be mode 0700 (like ~/.ssh/)

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=637439
Comment 1 Vincent Danen 2011-08-11 17:50:22 UTC 
Created freenx-client tracking bugs for this issue

Affects: fedora-all [bug 730085]
Comment 2 Vincent Danen 2011-08-12 21:41:34 UTC 
This issue was assigned the name CVE-2011-2916.