The GNOME desktop manager recently introduced a new feature that allowed remote users to create graphical sessions on the system by configuring the system daemon. This new feature, known as “gnome-remote-desktop,” also provides a D-bus interface on the D-bus system bus. These additions were part of the GNOME remote desktop version 46, which included several other system services.
However, with the introduction of these new system services, some critical security issues were also discovered. One of the vulnerabilities, identified as CVE-2024-5148, involved a Local Private Key Leak. According to reports shared with Cyber Security News, the leak occurred because the system daemon stored public SSL certificates and their private keys in a specific location (/var/lib/gnome-remote-desktop/.local/share/gnome-remote-desktop/certificates) with restricted access only to the service user “gnome-remote-desktop” in mode 0700. Despite these restrictions, any local user could intercept the private SSL key via the “org.gnome.RemoteDesktop.Rdp.Handover” D-Bus interface. Additionally, the private key could also be obtained through the StartHandover D-Bus function, providing an opportunity for attackers to access sensitive information.
Moreover, if a remote desktop client connected to the system daemon, there was a potential time window for attackers to exploit the vulnerability by calling the method on the created session object, leading to unauthenticated access to the D-bus interface without any authentication required. However, escalating this vulnerability into a denial of service condition would necessitate valid RDP credentials to execute.
Another security concern identified was the System Credentials Leak, which could occur if an RDP connection utilized shared system credentials. In this scenario, a threat actor with low privileges could obtain these credentials in cleartext by intercepting them through the D-Bus method “GetSystemCredentials()” of the handover interface. These system credentials could then be used to connect to the GDM via RDP. Although this access did not immediately grant a session to the threat actor due to authentication requirements in the display manager, automatic login configurations could make it easier for attackers to exploit the vulnerability.
The vulnerabilities associated with the GNOME remote desktop have been addressed in the latest release of the software. The updates aim to patch these security flaws and enhance the overall system security to prevent unauthorized access and potential breaches. It is crucial for users to regularly update their software to ensure they are protected against known security vulnerabilities and potential cyber threats.