Trustwave's 2024 Retail Report Series Highlights Alarming E-Commerce Threats and Growing Fraud Against Retailers. Learn More
Get access to immediate incident response assistance.
Get access to immediate incident response assistance.
Trustwave's 2024 Retail Report Series Highlights Alarming E-Commerce Threats and Growing Fraud Against Retailers. Learn More
Last week, I was making some performance enhancements to theVNC protocol implementations in the TrustKeeper Scanning Engine. Unfortunately, in my mission to "Go Fast!", Imanaged to trigger a Denial of Service (DoS) vulnerability in Vino. Vino is the VNC server for the GNOME desktopenvironment and also happens be to the default VNC server for popular Linuxdistributions like Ubuntu.
Shortly after finding the vulnerability, we reached out to theGNOME project and the security team there was nothing short of awesome for us to workwith. They patched the vulnerability thesame day (link)and they notified the major Linux distributions with a fix the day after (link).
The vulnerability should be fixed in Vino 3.9.92 (and 3.8.2if there is a future release in the 3.8 branch). At the time of this writing, it doesn'tappear that the patch has made it's way down to the Ubuntu distribution justyet, but I hope it will be there and in other distributions very soon.
If you want more details about the vulnerability, including PoC code, please see our detailed advisory.
***UPDATE – October 2, 2013***
Ubuntu released USN-1980 to address this vulnerability on September 30th, 2013.
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.
Copyright © 2024 Trustwave Holdings, Inc. All rights reserved.