Bug 910082 (CVE-2013-5745)

Summary: CVE-2013-5745 vino: denial of service flaw
Product: [Other] Security Response Reporter: Nathanael Noblet <nathanael>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amigadave, debarshir, jkurik, jrusnack, kem, pfrields
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: impact=moderate,public=20100421,reported=20130916,source=internet,cvss2=5/AV:N/AC:L/Au:N/C:N/I:N/A:P,rhel-5/vino=affected,rhel-7/vino=notaffected,rhel-6/vino=affected,fedora-all/vino=affected,cwe=CWE-400
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1007492 1008443 1008445 (view as bug list) Environment:
Last Closed: 2015-02-26 17:55:21 EST Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 1007492, 1008443, 1008445, 1008661, 1009228, 1009233    
Bug Blocks: 1008660    

Description Nathanael Noblet 2013-02-11 13:27:17 EST
Description of problem:
I have vino set to require a password. The system is on a publicly accessible machine. One morning I arrived to find / full and vino-server using inordinate amounts of CPU. In trying to find free space I also noticed that soon after freeing space, it would get used up. (Which is when I looked at what processes were running and found vino using too much CPU for not having a client connected).

In the end I found that ~/.cache/gdm/session.log was 669G. A message was repeated "AM Authentication deferred - ignoring client message". 

It was repeating 80 000 per second in the log file.

Thus Vino should introduce some form of rate limiting or other related features to help avoid this situation. It would also be nice if it could detect something like this and add a setting for blacklisting IPs that make more than X requests per second or some such. I realize though that some of that could be done via a firewall so perhaps not on that second part. However rate limiting the logs would be very useful to avoid this situation


How reproducible:
Not easy to reproduce as I don't know exactly what was making the requests to vino.


Upstream bug:
https://bugzilla.gnome.org/show_bug.cgi?id=693608
Comment 1 David King 2013-09-12 09:54:51 EDT
This bug is fixed upstream, and the patch to fix it is simple and can be applied to the version in Fedora:

https://mail.gnome.org/archives/distributor-list/2013-September/msg00001.html
Comment 3 Vincent Danen 2013-09-16 14:59:07 EDT
Also, this was given the name CVE-2013-5745.
Comment 4 Vincent Danen 2013-09-16 15:20:43 EDT
Created vino tracking bugs for this issue:

Affects: fedora-all [bug 1008661]
Comment 8 errata-xmlrpc 2013-10-22 13:18:45 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2013:1452 https://rhn.redhat.com/errata/RHSA-2013-1452.html
Comment 9 Fedora Update System 2013-10-24 21:51:11 EDT
vino-3.8.1-3.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.