Saturday, June 22, 2024

GNOME Remote Desktop Vulnerability Let Attackers Read Login Credentials

GNOME desktop manager was equipped with a new feature which allowed remote users to create graphical sessions on the system by configuring the system daemon.

This daemon runs as a dedicated “gnome-remote-desktop” and also provides a D-bus interface on the D-bus system bus. 

These features have been introduced in GNOME remote desktop version 46 along with several other system services.

However, some of the new system services were discovered with some critical security issues in which one of them was associated with System credentials leak and Local Private Key Leak.

Technical Analysis – CVE-2024-5148

Local Private Key Leak

According to the reports shared with Cyber Security News, the Local private key leak exists due to the fact that the system daemon keeps public SSL certificates and respective private keys in /var/lib/gnome-remote-desktop/.local/share/gnome-remote-desktop/certificates location.

The access to this directory is also restricted to and can only be accessed by the service user “gnome-remote-desktop”, mode 0700. However, any local user can intercept the private SSL key via “org.gnome.RemoteDesktop.Rdp.Handover” D-Bus interface. 

Additionally, the private key is also returned from the StartHandover D-Bus function that can also be intercepted.

If a remote desktop client connects to the system daemon, the time window is too long which can be utilized by an attacker to call this method on the created session object.

This leads to an unauthenticated access to the D-bus interface which allows a threat actor to connect to the system daemon without any authentication or required.

Nevertheless, for escalating this vulnerability into a denial of service condition which requires valid RDP credentials. 

System Credentials Leak

If any RDP connection uses shared system credentials, a threat actor with low privileges can gain these credentials in cleartext similar to the previous interception method and call an unauthenticated D-Bus method “GetSystemCredentials()” of the handover interface.

Further, these system credentials can also be used by a threat actor to connect to the GDM via RDP.

However, it does not directly grant a session for a threat actor as there is an authentication present in the display manager that must be performed.

In case if there is an automatic login configured, then the authentication is a piece of cake for the threat actor.

These vulnerabilities have been fixed in the latest release of GNOME remote desktop.


Latest articles

PrestaShop Website Under Injection Attack Via Facebook Module

A critical vulnerability has been discovered in the "Facebook" module (pkfacebook) from for...

Beware Of Illegal OTT Platforms That Exposes Sensitive Personal Information

A recent rise in data breaches from illegal Chinese OTT platforms exposes that user...

Beware Of Zergeca Botnet with Advanced Scanning & Persistence Features

A new botnet named Zergeca has emerged, showcasing advanced capabilities that set it apart...

Mailcow Mail Server Vulnerability Let Attackers Execute Remote Code

Two critical vulnerabilities (CVE-2024-31204 and CVE-2024-30270) affecting Mailcow versions before 2024-04 allow attackers to...

Hackers Attacking Vaults, Buckets, And Secrets To Steal Data

Hackers target vaults, buckets, and secrets to access some of the most classified and...

Hackers Weaponizing Windows Shortcut Files for Phishing

LNK files, a shortcut file type in Windows OS, provide easy access to programs,...

New Highly Evasive SquidLoader Attacking Employees Mimic As Word Document

Researchers discovered a new malware loader named SquidLoader targeting Chinese organizations, which arrives as...
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles