Bug 730081 (CVE-2011-2916) - CVE-2011-2916 freenx-client: qtnx stores configuration, including non-default authentication key, with insecure permissions
Summary: CVE-2011-2916 freenx-client: qtnx stores configuration, including non-default...
Alias: CVE-2011-2916
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 730085
TreeView+ depends on / blocked
Reported: 2011-08-11 17:44 UTC by Vincent Danen
Modified: 2019-09-29 12:46 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-08-22 16:08:44 UTC

Attachments (Terms of Use)

Description Vincent Danen 2011-08-11 17:44:05 UTC
It was reported [1] that the qtnx client would store non-custom SSH keys in a world-readable configuration file.  If a user did not have a properly secured home directory (if it was world-readable or world-executable), this could allow other users on the local system to obtain the private key used to connect to remote NX sessions.

For example:

% ls -al .qtnx
total 12
drwxrwxr-x.  2 user user 4096 Aug 11 11:36 .
drwxr-x---. 27 user user 4096 Aug 11 11:37 ..
-rw-rw-r--.  1 user user 1209 Aug 11 11:40 cerb.nxml
% grep Auth .qtnx/cerb.nxml 
<option key="Authentication Key" value="sekritz"></option>

qtnx should probably set the permissions of the *.nxml files to 0600, or the ~/.qtnx/ directory should be mode 0700 (like ~/.ssh/)

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=637439

Comment 1 Vincent Danen 2011-08-11 17:50:22 UTC
Created freenx-client tracking bugs for this issue

Affects: fedora-all [bug 730085]

Comment 2 Vincent Danen 2011-08-12 21:41:34 UTC
This issue was assigned the name CVE-2011-2916.

Note You need to log in before you can comment on or make changes to this bug.