Tuesday, October 15, 2024
HomeCVE/vulnerabilityGNOME Remote Desktop Vulnerability Let Attackers Read Login Credentials

GNOME Remote Desktop Vulnerability Let Attackers Read Login Credentials

Published on

Malware protection

GNOME desktop manager was equipped with a new feature which allowed remote users to create graphical sessions on the system by configuring the system daemon.

This daemon runs as a dedicated “gnome-remote-desktop” and also provides a D-bus interface on the D-bus system bus. 

These features have been introduced in GNOME remote desktop version 46 along with several other system services.

- Advertisement - SIEM as a Service

However, some of the new system services were discovered with some critical security issues in which one of them was associated with System credentials leak and Local Private Key Leak.

Technical Analysis – CVE-2024-5148

Local Private Key Leak

According to the reports shared with Cyber Security News, the Local private key leak exists due to the fact that the system daemon keeps public SSL certificates and respective private keys in /var/lib/gnome-remote-desktop/.local/share/gnome-remote-desktop/certificates location.

The access to this directory is also restricted to and can only be accessed by the service user “gnome-remote-desktop”, mode 0700. However, any local user can intercept the private SSL key via “org.gnome.RemoteDesktop.Rdp.Handover” D-Bus interface. 

Additionally, the private key is also returned from the StartHandover D-Bus function that can also be intercepted.

If a remote desktop client connects to the system daemon, the time window is too long which can be utilized by an attacker to call this method on the created session object.

This leads to an unauthenticated access to the D-bus interface which allows a threat actor to connect to the system daemon without any authentication or required.

Nevertheless, for escalating this vulnerability into a denial of service condition which requires valid RDP credentials. 

System Credentials Leak

If any RDP connection uses shared system credentials, a threat actor with low privileges can gain these credentials in cleartext similar to the previous interception method and call an unauthenticated D-Bus method “GetSystemCredentials()” of the handover interface.

Further, these system credentials can also be used by a threat actor to connect to the GDM via RDP.

However, it does not directly grant a session for a threat actor as there is an authentication present in the display manager that must be performed.

In case if there is an automatic login configured, then the authentication is a piece of cake for the threat actor.

These vulnerabilities have been fixed in the latest release of GNOME remote desktop.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

HORUS Protector Delivering AgentTesla, Remcos, Snake, NjRat Malware

The Horus Protector crypter is being used to distribute various malware families, including AgentTesla,...

ErrorFather Hackers Attacking & Control Android Device Remotely

The Cerberus Android banking trojan, which gained notoriety in 2019 for its ability to...

Hackers Allegedly Selling Data Stolen from Cisco

A group of hackers reportedly sells sensitive data stolen from Cisco Systems, Inc.The...

Fortigate SSLVPN Vulnerability Exploited in the Wild

A critical vulnerability in Fortinet's FortiGate SSLVPN appliances, CVE-2024-23113, has been actively exploited in...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

HORUS Protector Delivering AgentTesla, Remcos, Snake, NjRat Malware

The Horus Protector crypter is being used to distribute various malware families, including AgentTesla,...

ErrorFather Hackers Attacking & Control Android Device Remotely

The Cerberus Android banking trojan, which gained notoriety in 2019 for its ability to...

Hackers Allegedly Selling Data Stolen from Cisco

A group of hackers reportedly sells sensitive data stolen from Cisco Systems, Inc.The...