Bug 678846 (CVE-2011-1165) - CVE-2011-1165 vino-preferences does not warn about UPnP especially with no password and no confirmation.
Summary: CVE-2011-1165 vino-preferences does not warn about UPnP especially with no pa...
Alias: CVE-2011-1165
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: i686
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://www.bani.com.br/lang/en/2009/0...
Depends On: CVE-2011-1164 888637 888638
Blocks: 857251
TreeView+ depends on / blocked
Reported: 2011-02-20 10:40 UTC by Robert Townley
Modified: 2021-02-24 16:29 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-01-22 05:18:16 UTC

Attachments (Terms of Use)
Screenshot of what UPnP means. (169.41 KB, image/png)
2011-02-20 10:40 UTC, Robert Townley
no flags Details

System ID Private Priority Status Summary Last Updated
GNOME Bugzilla 594521 0 None None None Never
GNOME Bugzilla 596190 0 None None None Never
Red Hat Bugzilla 553477 0 low CLOSED CVE-2011-1164 vino: vino-preferences incorrectly indicates that computer is only reachable over local network 2021-02-25 01:51:54 UTC
Red Hat Product Errata RHSA-2013:0169 0 normal SHIPPED_LIVE Moderate: vino security update 2013-01-22 03:34:50 UTC

Description Robert Townley 2011-02-20 10:40:13 UTC
Created attachment 479752 [details]
Screenshot of what UPnP means.

Description of problem:
System --->  Preferences --->  Remote Desktop
does not sufficiently warn that UPnP is being used to open ports on your router.  When end user is testing, he very  well may disables confirmation and password.  Because there is no very explicit UPnP warning, he just unwittingly enabled anybody on the internet to connect to his desktop.

Version-Release number of selected component (if applicable):
vino 2.32.0-1.fc14 

How reproducible:
parts always, UPnP success at opening router port varies.  Sometimes, it successfully opens a port, other times it does not. 

Steps to Reproduce:
1.System --> Preferences --> Remote Desktop
2.uncheck confirmation, uncheck password
3.check "Configure network to automatically accept connections."  
Actual results:
Changed router configuration without telling user.  Expose machine to internet usage with no password and no confirmation.

Expected results:
Text should be more explicit that this uses UPnP.  The pop up message mentions UPnP, but it at least should be a red warning.  Especially when no confirmation and no password is required.  

Additional info:
All machines tested have multiple NICs.  selinux enabled.  iptables turned off.  It may take several attempts to open up ports on router using UPnP.  Not sure what happens upon reboot of workstation and router -- UPnP may work to open ports that were not open before.

Comment 1 Robert Townley 2011-02-20 10:51:20 UTC
Discussion of Ubuntu user that was "hacked" when really the user interface was not explicit enough.  

VNC does not have encryption.

I am glad to see that xrdp and is used in RHEL 6 because encryption can be built-in.

Comment 2 Vincent Danen 2011-03-23 16:35:49 UTC
Upstream does not plan on correcting strings or documentation until GNOME 3.0 is completed.  The root of this problem is not how vino operates, but the feedback that vino provides when certain options are selected.


This issue did not affect the version of vino as shipped with Red Hat Enterprise Linux 4 or 5 as they did not include support for Universal Plug and Play (UPnP).  A future update in Red Hat Enterprise Linux 6 may address this flaw.  To mitigate this issue, users should ensure that confirmation is requested on each inbound connection attempt, that a password is required to connect, and that automatic network configuration is disabled.  This will prevent vino from using UPnP to allow access to the VNC port, and will ensure that any connections require a password and that the user is notified on any connection attempts.

Comment 5 errata-xmlrpc 2013-01-21 22:37:14 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0169 https://rhn.redhat.com/errata/RHSA-2013-0169.html

Note You need to log in before you can comment on or make changes to this bug.