[X2Go-Dev] Fixes for 2011-2014 X.org CVEs and potential regressions in nx-libs
Mike DePaulo
mikedep333 at gmail.com
Sun Feb 15 14:32:31 CET 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Sat, Feb 14, 2015 at 12:43 PM, Mike DePaulo <mikedep333 at gmail.com>
wrote:
> ...
> https://docs.google.com/spreadsheets/d/1WeneRYO2TkXYOl5J0WozThsLkreF1DiuJAvKCj7xFjU/edit#gid
>
>
>
...
>
> Also, note that by default, X2GO launches nxagent (the nx-libs X
> server) with "-nolisten tcp". This is configurable in
> /etc/x2go/x2goagent.options . This setting mitigates many of the
> vulnerabilities by preventing nxagent from ever talking to X11
> clients not running on the X2Go Server. I will now be determining
> which vulnerabilities it does mitigate.
Most CVEs are mitigated by "-nolisten TCP", or are N/A because the
CVEs can only be exploited by local X11 clients (X11 applications) anyway.
"-nolisten TCP" is especially important for mitigating CVE-2014-8091
because an X11 client need not be authenticated to exploit it. An
exploit would result in nxagent (and thus your X2Go session) crashing.
(In layman's terms, unless you kept "-nolisten TCP" set, someone on
the network can crash every X2Go session running on an X2Go server.)
2 CVEs are not mitigated by "-nolisten TCP":
2014-0210 CVE-2014-0211
A malicious remote X Font Server can trigger these vulnerabilities,
even when the X11 clients are running locally on the X2Go server.
- -Mike#2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iF4EAREIAAYFAlTgn+8ACgkQIFy22CVQsitHFwD/X2v6kUmf1+vVGbG5gvYMAT7d
YlZ5Ks62wwK6eSutNR0BAJAI7H83e8TBtIc3vs0OIZamn3tCfBwJ3WZsjwOWT7WC
=eykp
-----END PGP SIGNATURE-----
More information about the x2go-dev
mailing list