2283545 – (CVE-2023-50977) CVE-2023-50977 gnome-shell: Shell Captive Portal Hijack

Bug 2283545 (CVE-2023-50977) - CVE-2023-50977 gnome-shell: Shell Captive Portal Hijack

Summary: CVE-2023-50977 gnome-shell: Shell Captive Portal Hijack

Keywords:
Status:	NEW
Alias:	CVE-2023-50977
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2283555
Blocks:	2283546
TreeView+	depends on / blocked

Reported:	2024-05-27 20:48 UTC by Pedro Sampaio
Modified:	2025-05-12 15:19 UTC (History)
CC List:	1 user (show)
Fixed In Version:	GNOME Shell 45.2
Clone Of:
Environment:
Last Closed:	2025-05-12 13:43:04 UTC
Embargoed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2024-05-27 20:48:30 UTC

In GNOME Shell through 45.2, unauthenticated remote code execution can be achieved by intercepting two DNS requests (GNOME Network Manager and GNOME Shell Portal Helper connectivity checks), and responding with attacker-specific IP addresses. This DNS hijacking causes GNOME Captive Portal to be launched via a WebKitGTK browser, by default, on the victim system; this can run JavaScript code inside a sandbox. NOTE: the vendor's position is that this is not a vulnerability because running JavaScript code inside a sandbox is the intended behavior.

References:

https://gitlab.gnome.org/GNOME/gnome-shell/-/blob/ceed3e07e44f2cd1bfdbf273523abc0bb4bbd8c1/js/portalHelper/main.js
https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/7666

Comment 1 Pedro Sampaio 2024-05-27 21:59:04 UTC

Created gnome-shell tracking bugs for this issue:

Affects: fedora-all [bug 2283555]

Comment 3 Sandipan Roy 2024-06-13 15:46:42 UTC

This vulnerability is classified as moderate severity rather than high because it requires a specific and controlled environment to be exploited effectively. The attacker needs to perform DNS hijacking within the same local network, which limits the scope of potential targets. Additionally, the exploit depends on the GNOME Captive Portal automatically opening a WebKitGTK browser, which, while a default behavior, may not be universally applicable across all GNOME configurations. Furthermore, modern web browsers use sandboxing as a mechanism to contain malicious activity, significantly reducing the potential impact of the exploit. This sandboxing mitigates the risk of the attack affecting other parts of the system, thus lowering the severity of this flaw to moderate. The exploitation vector, while technically feasible, involves multiple steps that reduce the likelihood of widespread, automated attacks. Thus, the impact, while serious, is confined to scenarios with network control and specific GNOME settings, justifying its moderate severity classification.

Comment 4 Jan Grulich 2025-05-12 13:43:04 UTC

My understanding is that this issue was fixed in gnome-shell 47+ with [1], which we have in Fedora 41 and newer, therefore this issue can be closed.

[1] - https://gitlab.gnome.org/GNOME/gnome-shell/-/commit/4ab1ccf3f21b754ce4be77becf5df46084a893d8

Comment 5 Jan Grulich 2025-05-12 15:19:40 UTC

I'm sorry, I accidentally closed the tracker instead of the Fedora bug. Reopening again.

Note You need to log in before you can comment on or make changes to this bug.