678846 – (CVE-2011-1165) CVE-2011-1165 vino-preferences does not warn about UPnP especially with no password and no confirmation.

Bug 678846 (CVE-2011-1165) - CVE-2011-1165 vino-preferences does not warn about UPnP especially with no password and no confirmation.

Summary: CVE-2011-1165 vino-preferences does not warn about UPnP especially with no pa...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2011-1165
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	i686
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:	http://www.bani.com.br/lang/en/2009/0...
Whiteboard:
Depends On:	CVE-2011-1164 888637 888638
Blocks:	857251
TreeView+	depends on / blocked

Reported:	2011-02-20 10:40 UTC by Robert Townley
Modified:	2021-02-24 16:29 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-01-22 05:18:16 UTC
Embargoed:

Attachments	(Terms of Use)
Screenshot of what UPnP means. (169.41 KB, image/png) 2011-02-20 10:40 UTC, Robert Townley	no flags	Details
View All

Links
System	ID	Priority	Status	Summary	Last Updated
GNOME Bugzilla	594521	None	None	None	Never
GNOME Bugzilla	596190	None	None	None	Never
Red Hat Bugzilla	553477	low	CLOSED	CVE-2011-1164 vino: vino-preferences incorrectly indicates that computer is only reachable over local network	2021-02-25 01:51:54 UTC
Red Hat Product Errata	RHSA-2013:0169	normal	SHIPPED_LIVE	Moderate: vino security update	2013-01-22 03:34:50 UTC

Description Robert Townley 2011-02-20 10:40:13 UTC

Created attachment 479752 [details]
Screenshot of what UPnP means.

Description of problem:
System --->  Preferences --->  Remote Desktop
does not sufficiently warn that UPnP is being used to open ports on your router.  When end user is testing, he very  well may disables confirmation and password.  Because there is no very explicit UPnP warning, he just unwittingly enabled anybody on the internet to connect to his desktop.

Version-Release number of selected component (if applicable):
vino 2.32.0-1.fc14 

How reproducible:
parts always, UPnP success at opening router port varies.  Sometimes, it successfully opens a port, other times it does not. 

Steps to Reproduce:
1.System --> Preferences --> Remote Desktop
2.uncheck confirmation, uncheck password
3.check "Configure network to automatically accept connections."  
  
Actual results:
Changed router configuration without telling user.  Expose machine to internet usage with no password and no confirmation.

Expected results:
Text should be more explicit that this uses UPnP.  The pop up message mentions UPnP, but it at least should be a red warning.  Especially when no confirmation and no password is required.  


Additional info:
All machines tested have multiple NICs.  selinux enabled.  iptables turned off.  It may take several attempts to open up ports on router using UPnP.  Not sure what happens upon reboot of workstation and router -- UPnP may work to open ports that were not open before.

Comment 1 Robert Townley 2011-02-20 10:51:20 UTC

Discussion of Ubuntu user that was "hacked" when really the user interface was not explicit enough.  
http://www.dslreports.com/forum/r25446313-Ubuntu-computer-hijacked-by-hacker~start=40

VNC does not have encryption.

I am glad to see that xrdp and is used in RHEL 6 because encryption can be built-in.

Comment 2 Vincent Danen 2011-03-23 16:35:49 UTC

Upstream does not plan on correcting strings or documentation until GNOME 3.0 is completed.  The root of this problem is not how vino operates, but the feedback that vino provides when certain options are selected.

Statement:

This issue did not affect the version of vino as shipped with Red Hat Enterprise Linux 4 or 5 as they did not include support for Universal Plug and Play (UPnP).  A future update in Red Hat Enterprise Linux 6 may address this flaw.  To mitigate this issue, users should ensure that confirmation is requested on each inbound connection attempt, that a password is required to connect, and that automatic network configuration is disabled.  This will prevent vino from using UPnP to allow access to the VNC port, and will ensure that any connections require a password and that the user is notified on any connection attempts.

Comment 5 errata-xmlrpc 2013-01-21 22:37:14 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0169 https://rhn.redhat.com/errata/RHSA-2013-0169.html

Note You need to log in before you can comment on or make changes to this bug.