Bug 678846 - (CVE-2011-1165) CVE-2011-1165 vino-preferences does not warn about UPnP especially with no password and no confirmation.
CVE-2011-1165 vino-preferences does not warn about UPnP especially with no pa...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
i686 Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security, Upstream
Depends On: CVE-2011-1164 888637 888638
Blocks: 857251
  Show dependency treegraph
Reported: 2011-02-20 05:40 EST by Robert Townley
Modified: 2015-11-24 10:22 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-01-22 00:18:16 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Screenshot of what UPnP means. (169.41 KB, image/png)
2011-02-20 05:40 EST, Robert Townley
no flags Details

External Trackers
Tracker ID Priority Status Summary Last Updated
GNOME Desktop 594521 None None None Never
GNOME Desktop 596190 None None None Never

  None (edit)
Description Robert Townley 2011-02-20 05:40:13 EST
Created attachment 479752 [details]
Screenshot of what UPnP means.

Description of problem:
System --->  Preferences --->  Remote Desktop
does not sufficiently warn that UPnP is being used to open ports on your router.  When end user is testing, he very  well may disables confirmation and password.  Because there is no very explicit UPnP warning, he just unwittingly enabled anybody on the internet to connect to his desktop.

Version-Release number of selected component (if applicable):
vino 2.32.0-1.fc14 

How reproducible:
parts always, UPnP success at opening router port varies.  Sometimes, it successfully opens a port, other times it does not. 

Steps to Reproduce:
1.System --> Preferences --> Remote Desktop
2.uncheck confirmation, uncheck password
3.check "Configure network to automatically accept connections."  
Actual results:
Changed router configuration without telling user.  Expose machine to internet usage with no password and no confirmation.

Expected results:
Text should be more explicit that this uses UPnP.  The pop up message mentions UPnP, but it at least should be a red warning.  Especially when no confirmation and no password is required.  

Additional info:
All machines tested have multiple NICs.  selinux enabled.  iptables turned off.  It may take several attempts to open up ports on router using UPnP.  Not sure what happens upon reboot of workstation and router -- UPnP may work to open ports that were not open before.
Comment 1 Robert Townley 2011-02-20 05:51:20 EST
Discussion of Ubuntu user that was "hacked" when really the user interface was not explicit enough.  

VNC does not have encryption.

I am glad to see that xrdp and is used in RHEL 6 because encryption can be built-in.
Comment 2 Vincent Danen 2011-03-23 12:35:49 EDT
Upstream does not plan on correcting strings or documentation until GNOME 3.0 is completed.  The root of this problem is not how vino operates, but the feedback that vino provides when certain options are selected.


This issue did not affect the version of vino as shipped with Red Hat Enterprise Linux 4 or 5 as they did not include support for Universal Plug and Play (UPnP).  A future update in Red Hat Enterprise Linux 6 may address this flaw.  To mitigate this issue, users should ensure that confirmation is requested on each inbound connection attempt, that a password is required to connect, and that automatic network configuration is disabled.  This will prevent vino from using UPnP to allow access to the VNC port, and will ensure that any connections require a password and that the user is notified on any connection attempts.
Comment 5 errata-xmlrpc 2013-01-21 17:37:14 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0169 https://rhn.redhat.com/errata/RHSA-2013-0169.html

Note You need to log in before you can comment on or make changes to this bug.