[FreeNX-kNX] Security: Serious bug in authority handling found and fixed

Thu Feb 17 15:25:24 UTC 2005

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

this mail has four parts:

  1. FreeNX authority handling: missing authorization file and wrong umask
  2. Fix: FreeNX 0.2.8
  3. Hint about X11 race condition enabling exploits
  4. Where to get updated packages

1. FreeNX authority handling: missing authorization file and wrong umask
========================================================================

Summary: FreeNX does not set the XAUTHORITY environment variable (as it
         should) before starting nxagent. Nxagent then allows access from
         all local users, like if "xhost +localhost" was set.

Severity: Serious

Solution: export XAUTHORITY to a valid authorization file, before starting
          nxagent.

Affected versions: All FreeNX versions and possibly most tunnel scripts.

How to check:
- -------------

Login into a FreeNX server and issue the command:
  > xhost

  access control enabled, only authorized clients can connect
  INET:<Hostname>
  INET:<DNS-Entry>
  LOCAL:

On affected machines you see something like the above.

In normal operation you should see just:
  > xhost

  access control enabled, only authorized clients can connect

2. Fix: FreeNX 0.2.8
====================

We have prepared a fixed FreeNX 0.2.8 version. By now most distributions will 
have updated their packages to FreeNX 0.2.8. FreeNX 0.2.8 does not only
fix the serious security bug outlined above, but also fixes two more
problems, which _could_  lead to a security risk.

The 2 problems are:
- -------------------

  A. FreeNX writes the MIT-MAGIC-COOKIE for a short moment into the
     file ~/.nx/C-<sess_id>/scripts/authority
     (One should not write passwords or other sensitive information
     into files - if not absolutely necessary.)

  B. ~/.nx/C-<sess_id>/options is world-readable in FreeNX and this
     includes a cookie the proxy uses for authentication.

Setting a correct umask fixes both problems.

The 0.2.8 FreeNX release is a special bugfix release addressing
these topics. It resolves specifically the problems outlined above.

You should upgrade to 0.2.8 or apply a patch.

3. Hint about X11 race condition enabling exploits
==================================================

There is an additional bug in X11 which I found when investigating the
FreeNX flaw detailed above. This bug may also trigger the exactly same
behaviour as the missing authorization file in FreeNX described above.

This means:
- -----------

An X server may fail to read the authority file and "think" there is no
valid file, hence assumes setting security that are equivalent to "xhost
+localhost" like in 1) without the user being made aware of this.

This bug is solved in latest nx-X11 release as already published by NoMachine.

So you should update FreeNX and nx-X11 from your preferred distributor.

4. Where to get updated packages
================================

Sources
- -------

FreeNX 0.2.8: http://debian.tu-bs.de/knoppix/nx/freenx-0.2.8.tar.gz
nx-X11-1.4.0-10: 
http://www.nomachine.com/download/nxsources/nx-X11/nx-X11-1.4.0-10.tar.gz

Red Hat / Fedora
- ----------------

FC2, FC3 and other X.org Fedora based distributions
http://fedoranews.org/contributors/rick_stout/freenx/freenx-0.2.8-0.fdr.0.noarch.rpm
http://fedoranews.org/contributors/rick_stout/freenx/freenx-0.2.8-0.fdr.0.src.rpm
http://fedoranews.org/contributors/rick_stout/freenx/nx-1.4.0-0.fdr.4.i386.rpm
http://fedoranews.org/contributors/rick_stout/freenx/nx-1.4.0-0.fdr.4.src.rpm

FC1, RH9 and other XFree86 Redhat based distributions
http://fedoranews.org/contributors/rick_stout/freenx/freenx-0.2.8-0.rh.0.noarch.rpm
http://fedoranews.org/contributors/rick_stout/freenx/freenx-0.2.8-0.rh.0.src.rpm
http://fedoranews.org/contributors/rick_stout/freenx/nx-1.4.0-0.rh.4.i386.rpm
http://fedoranews.org/contributors/rick_stout/freenx/nx-1.4.0-0.rh.4.src.rpm

http://fedoranews.org/contributors/rick_stout/freenx/md5sum

Others
- ------

All other packages should be received through the usual upgrade-mechanisms of 
the preferred distribution.

For those that want to patch their systems manually, I also attached a 
working .diff against 0.2.7.

CVS is _not_ yet updated but will be in the next minutes, I'll also publish a 
new snapshot then.

cu

Fabian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCFLdnI0lSH7CXz7MRAleuAJ0fUkzY7uvUivd7v58dwR0DvnumrACfYrsD
BjdxpyxWjwvpEhFCs7BYWlU=
=tr6e
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freenx-0.2.8.diff
Type: text/x-diff
Size: 3025 bytes
Desc: not available
URL: <http://mail.kde.org/pipermail/freenx-knx/attachments/20050217/ab9f2842/attachment.bin>