Re: [X2Go-Dev] [Secunia] X2Go Server Vulnerability Request for Details

Dear Dmitry,

On Do 26 Sep 2013 20:10:29 CEST, Secunia Research wrote:

Hello,

We are currently processing release notes [1] for X2Go Server and are evaluating to issue a Secunia advisory for this. Please see the original document for details.

For the benefit of our mutual customers, to properly evaluate the mentioned vulnerability, we would appreciate if you could provide us with additional information:

• Can you provide any additional information about the fixed vulnerability?

The vulnerability fix can be found at [1] for the current master
branch and a similar approach on the 4.0.0.x/4.0.1.x release branches
[2].

• Can you provide additional information with regards to the impact and the exploitability of the vulnerability (e.g. an attack vector)?

Before the above commit it was easily possible to execute arbitrary
code as user x2gouser. The setuid/gid wrapper (gid in our case) is a replacement for
deprectated perlsuid.

The release is included in X2Go Server 4.0.0.2 and any later version.
There were times when X2Go was still using perlsuid. There the
vulnerability did neither exist [3].

• Are there any mitigating factors or recommended workarounds?

Upgrade to latest versions. We maintain the 4.0.0.x release series for
some more months/years (LTS X2Go bundle releases aka Baikal). The
current stable releases (4.0.1.x series) can also be chosen for
upgrade. The master branch is not yet released, but also fixes the
occurred issue.

Thank you in advance and kind regards, Dmitry Janushkevich

References: [1] http://lists.berlios.de/pipermail/x2go-announcement/2013-May/000125.html

Greets, Mike

PS: please note that there was a similar issue to fix in the X2Go
Session Broker [4]. That one got solved in x2gobroker 0.0.2.2 and
existed in all earlier versions.

[1]
http://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=42264c88d7885474... [2]
http://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=011d14ae076ba6fe... [3]
http://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=5c60ad18f7db28c0... [4]
http://code.x2go.org/gitweb?p=x2gobroker.git;a=commitdiff;h=65d635943bb2a858...

DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...