[Xrdp-devel] CVE-2005-1794

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

[Xrdp-devel] CVE-2005-1794

Harry Johnston
Hi,

I'm concerned that a number of web sites wrongly claim or imply that the vulnerability described in CVE-2005-1794 doesn't apply to xrdp, e.g.,  see

http://people.canonical.com/~ubuntu-security/cve/2005/CVE-2005-1794.html

and

https://security-tracker.debian.org/tracker/CVE-2005-1794

(As a result of this misinformation, we almost dismissed the report from our vulnerability scanner as a false positive.  There are of course many situations in which this vulnerability is not a problem, and in fact we're considering it a low priority, but in some environments this could have been a serious oversight.)

The descriptions of this CVE on sites like Mitre, Secunia, etc., generally make no mention of xrdp either way, but the way the vulnerability is described could easily lead people to assume that it does not apply to xrdp.

I'm intending to discuss this with some of the relevant organizations, with the intent of either adding references to xrdp to the most prominent online sources or perhaps issuing a new CVE; I'm not sure what the precedent is in cases like this.  However, I thought I should discuss it with you first, in case you wanted to coordinate, or be CC'd in, or whatever.

Thoughts?

  Harry.


------------------------------------------------------------------------------

_______________________________________________
xrdp-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/xrdp-devel
Reply | Threaded
Open this post in threaded view
|

Re: [Xrdp-devel] CVE-2005-1794

Jonathan Buzzard
On 15/08/14 06:51, Harry Johnston wrote:

> Hi,
>
> I'm concerned that a number of web sites wrongly claim or imply that the
> vulnerability described in CVE-2005-1794 doesn't apply to xrdp, e.g.,  see
>
> http://people.canonical.com/~ubuntu-security/cve/2005/CVE-2005-1794.html
>
> and
>
> https://security-tracker.debian.org/tracker/CVE-2005-1794
>
> (As a result of this misinformation, we almost dismissed the report from
> our vulnerability scanner as a false positive.  There are of course many
> situations in which this vulnerability is not a problem, and in fact
> we're considering it a low priority, but in some environments this could
> have been a serious oversight.)


What on earth makes you think that xrdp would have the same hard coded
RSA key in it that a Microsoft terminal server binary had in it nine
years ago. What makes you think it has any hard coded RSA keys?

>
> The descriptions of this CVE on sites like Mitre, Secunia, etc.,
> generally make no mention of xrdp either way, but the way the
> vulnerability is described could easily lead people to assume that it
> does not apply to xrdp.
>

Because it does would be a good starting point.


JAB.

--
Jonathan A. Buzzard                 Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.

------------------------------------------------------------------------------
_______________________________________________
xrdp-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/xrdp-devel
Reply | Threaded
Open this post in threaded view
|

Re: [Xrdp-devel] CVE-2005-1794

Harry Johnston
On 19 August 2014 09:09, Jonathan Buzzard <[hidden email]> wrote:

What on earth makes you think that xrdp would have the same hard coded
RSA key in it that a Microsoft terminal server binary had in it nine
years ago. What makes you think it has any hard coded RSA keys?

That would be because when I looked in the source code, it was there.

You can compare the private key contained in keygen.c to that described in the original advisory here:

http://www.oxid.it/downloads/rdp-gbu.pdf
 
  Harry.


------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
xrdp-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/xrdp-devel
Reply | Threaded
Open this post in threaded view
|

Re: [Xrdp-devel] CVE-2005-1794

jsorg71
Hi Harry,

That signature key is in the msdn documentation and needs to be used
to sign the standard RDP RSA bits.
http://msdn.microsoft.com/en-us/library/cc240776.aspx
The MS client will error out with a security error if it's not signed right.
MS did a poor job on this part of security and the signature is really
only used as a hash to make sure the client got the RSA bits ok.

We're moving to TLS encryption in xrdp now and this is almost working
in devel branch.  TLS encryption is a more industry standard way to
encrypt the RDP traffic.

Jay

On Wed, Aug 20, 2014 at 3:54 PM, Harry Johnston <[hidden email]> wrote:

> On 19 August 2014 09:09, Jonathan Buzzard <[hidden email]> wrote:
>
>> What on earth makes you think that xrdp would have the same hard coded
>> RSA key in it that a Microsoft terminal server binary had in it nine
>> years ago. What makes you think it has any hard coded RSA keys?
>
>
> That would be because when I looked in the source code, it was there.
>
> You can compare the private key contained in keygen.c to that described in
> the original advisory here:
>
> http://www.oxid.it/downloads/rdp-gbu.pdf
>
>   Harry.
>
>
> ------------------------------------------------------------------------------
> Slashdot TV.
> Video for Nerds.  Stuff that matters.
> http://tv.slashdot.org/
> _______________________________________________
> xrdp-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/xrdp-devel
>

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
xrdp-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/xrdp-devel
Reply | Threaded
Open this post in threaded view
|

Re: [Xrdp-devel] CVE-2005-1794

Harry Johnston
Jay,

Thanks.  Yes, that was my understanding; the vulnerability is in the protocol, so it affects all Microsoft-compatible RDP (5.2 or earlier) software.  I think it is clear that this is not widely understood, though, and this is what concerns me at present.

We're moving to TLS encryption in xrdp now and this is almost working
in devel branch.  TLS encryption is a more industry standard way to
encrypt the RDP traffic.

Excellent.  What clients does this support?  Is it compatible with Microsoft's Remote Desktop client (on Vista and later)?

  Harry.


------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
xrdp-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/xrdp-devel
Reply | Threaded
Open this post in threaded view
|

Re: [Xrdp-devel] CVE-2005-1794

speidy

Hi Harry,

TLS is supported by all well-known clients today (freerdp, rdesktop, mstsc, itap).

It is referres as 'RDP Enhanced Security' mode at ms docs.

Idan.

On Aug 23, 2014 5:11 AM, "Harry Johnston [via XRDP Devel]" <[hidden email]> wrote:
Jay,

Thanks.  Yes, that was my understanding; the vulnerability is in the protocol, so it affects all Microsoft-compatible RDP (5.2 or earlier) software.  I think it is clear that this is not widely understood, though, and this is what concerns me at present.

We're moving to TLS encryption in xrdp now and this is almost working
in devel branch.  TLS encryption is a more industry standard way to
encrypt the RDP traffic.

Excellent.  What clients does this support?  Is it compatible with Microsoft's Remote Desktop client (on Vista and later)?

  Harry.


------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
xrdp-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/xrdp-devel



If you reply to this email, your message will be added to the discussion below:
http://xrdp-devel.766250.n3.nabble.com/Xrdp-devel-CVE-2005-1794-tp4025659p4025666.html
To start a new topic under XRDP Devel, email [hidden email]
To unsubscribe from XRDP Devel, click here.
NAML
Reply | Threaded
Open this post in threaded view
|

Re: [Xrdp-devel] CVE-2005-1794

Harry Johnston
Excellent, and thanks for clarifying that.  (I wasn't sure whether Microsoft's client supported using the newer protocol without also using RDP 6.0 or later, the version it was introduced with.)

I presume that either the legacy encryption protocol won't be included at all, or that there will be an option to disable it?  We would still consider a machine potentially at risk if it allowed connections using the insecure protocol, since we would have no realistic way to be certain that nobody was using an older client.  Also, OpenVAS appears to correctly detect whether a machine is or is not allowing insecure connections, so it would be desirable on that front too.

Any sort of idea when this is likely to be released?  If it is only a month or two it would probably make sense for me to hold off on any further action, but if it is more likely to be a year, say, I should probably go ahead.

  Harry.



On 23 August 2014 18:19, speidy <[hidden email]> wrote:

Hi Harry,

TLS is supported by all well-known clients today (freerdp, rdesktop, mstsc, itap).

It is referres as 'RDP Enhanced Security' mode at ms docs.

Idan.

On Aug 23, 2014 5:11 AM, "Harry Johnston [via XRDP Devel]" <[hidden email]> wrote:
Jay,

Thanks.  Yes, that was my understanding; the vulnerability is in the protocol, so it affects all Microsoft-compatible RDP (5.2 or earlier) software.  I think it is clear that this is not widely understood, though, and this is what concerns me at present.

We're moving to TLS encryption in xrdp now and this is almost working
in devel branch.  TLS encryption is a more industry standard way to
encrypt the RDP traffic.

Excellent.  What clients does this support?  Is it compatible with Microsoft's Remote Desktop client (on Vista and later)?

  Harry.


------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
xrdp-devel mailing list
If you reply to this email, your message will be added to the discussion below:
http://xrdp-devel.766250.n3.nabble.com/Xrdp-devel-CVE-2005-1794-tp4025659p4025666.html
To start a new topic under XRDP Devel, email [hidden email]
To unsubscribe from XRDP Devel, click here.
NAML


View this message in context: Re: [Xrdp-devel] CVE-2005-1794
Sent from the XRDP Devel mailing list archive at Nabble.com.

------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
xrdp-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/xrdp-devel



------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
xrdp-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/xrdp-devel
Reply | Threaded
Open this post in threaded view
|

Re: [Xrdp-devel] CVE-2005-1794

speidy
Hi Harry,

legacy encryption will still be include
You will be able to configure xrdp's security layer as follows: TLS only , RDP only or Negotiate mode (server will accept the highest compatible sec layer agreed between client & server).

Not sure about release yet.

Idan.


On Mon, Aug 25, 2014 at 2:05 AM, Harry Johnston <[hidden email]> wrote:
Excellent, and thanks for clarifying that.  (I wasn't sure whether Microsoft's client supported using the newer protocol without also using RDP 6.0 or later, the version it was introduced with.)

I presume that either the legacy encryption protocol won't be included at all, or that there will be an option to disable it?  We would still consider a machine potentially at risk if it allowed connections using the insecure protocol, since we would have no realistic way to be certain that nobody was using an older client.  Also, OpenVAS appears to correctly detect whether a machine is or is not allowing insecure connections, so it would be desirable on that front too.

Any sort of idea when this is likely to be released?  If it is only a month or two it would probably make sense for me to hold off on any further action, but if it is more likely to be a year, say, I should probably go ahead.

  Harry.



On 23 August 2014 18:19, speidy <[hidden email]> wrote:

Hi Harry,

TLS is supported by all well-known clients today (freerdp, rdesktop, mstsc, itap).

It is referres as 'RDP Enhanced Security' mode at ms docs.

Idan.

On Aug 23, 2014 5:11 AM, "Harry Johnston [via XRDP Devel]" <[hidden email]> wrote:
Jay,

Thanks.  Yes, that was my understanding; the vulnerability is in the protocol, so it affects all Microsoft-compatible RDP (5.2 or earlier) software.  I think it is clear that this is not widely understood, though, and this is what concerns me at present.

We're moving to TLS encryption in xrdp now and this is almost working
in devel branch.  TLS encryption is a more industry standard way to
encrypt the RDP traffic.

Excellent.  What clients does this support?  Is it compatible with Microsoft's Remote Desktop client (on Vista and later)?

  Harry.


------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
xrdp-devel mailing list
If you reply to this email, your message will be added to the discussion below:
http://xrdp-devel.766250.n3.nabble.com/Xrdp-devel-CVE-2005-1794-tp4025659p4025666.html
To start a new topic under XRDP Devel, email [hidden email]
To unsubscribe from XRDP Devel, click here.
NAML


View this message in context: Re: [Xrdp-devel] CVE-2005-1794
Sent from the XRDP Devel mailing list archive at Nabble.com.

------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
xrdp-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/xrdp-devel





--
Idan Freiberg
Mobile: +972-52-2925213

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
xrdp-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/xrdp-devel