Red Hat Bugzilla – Bug 678846
CVE-2011-1165 vino-preferences does not warn about UPnP especially with no password and no confirmation.
Last modified: 2015-11-24 10:22:03 EST
Created attachment 479752 [details]
Screenshot of what UPnP means.
Description of problem:
System ---> Preferences ---> Remote Desktop
does not sufficiently warn that UPnP is being used to open ports on your router. When end user is testing, he very well may disables confirmation and password. Because there is no very explicit UPnP warning, he just unwittingly enabled anybody on the internet to connect to his desktop.
Version-Release number of selected component (if applicable):
parts always, UPnP success at opening router port varies. Sometimes, it successfully opens a port, other times it does not.
Steps to Reproduce:
1.System --> Preferences --> Remote Desktop
2.uncheck confirmation, uncheck password
3.check "Configure network to automatically accept connections."
Changed router configuration without telling user. Expose machine to internet usage with no password and no confirmation.
Text should be more explicit that this uses UPnP. The pop up message mentions UPnP, but it at least should be a red warning. Especially when no confirmation and no password is required.
All machines tested have multiple NICs. selinux enabled. iptables turned off. It may take several attempts to open up ports on router using UPnP. Not sure what happens upon reboot of workstation and router -- UPnP may work to open ports that were not open before.
Discussion of Ubuntu user that was "hacked" when really the user interface was not explicit enough.
VNC does not have encryption.
I am glad to see that xrdp and is used in RHEL 6 because encryption can be built-in.
Upstream does not plan on correcting strings or documentation until GNOME 3.0 is completed. The root of this problem is not how vino operates, but the feedback that vino provides when certain options are selected.
This issue did not affect the version of vino as shipped with Red Hat Enterprise Linux 4 or 5 as they did not include support for Universal Plug and Play (UPnP). A future update in Red Hat Enterprise Linux 6 may address this flaw. To mitigate this issue, users should ensure that confirmation is requested on each inbound connection attempt, that a password is required to connect, and that automatic network configuration is disabled. This will prevent vino from using UPnP to allow access to the VNC port, and will ensure that any connections require a password and that the user is notified on any connection attempts.
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2013:0169 https://rhn.redhat.com/errata/RHSA-2013-0169.html