oss-sec mailing list archives

Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere

From: David Woodhouse <dwmw2 () infradead org>
Date: Wed, 16 Mar 2011 12:48:53 +0000

On Wed, 2011-03-16 at 07:58 -0400, Josh Bressers wrote:

I probably should have been more clear here. I was under the impression the
CVE id applied to instances where it would use UPnP and no auth, which is
dangerous and should probably include a big warning with a button that says
"I know what I'm doing (but probably not really)".



Right. So that CVE should apply to the case of it listening on a
publicly available IP address with no auth, whether it uses uPnP or not.

If it just listens on the socket and is usable from the outside world
without a password, that's the *same* problem.

The CVE really has nothing to do with uPnP; it's about the lack of
authentication on a publicly-available service.

-- 
dwmw2

Current thread:

CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere Jan Lieskovsky (Mar 14)
- Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere David King (Mar 14)
- Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere Josh Bressers (Mar 14)
  - Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere David Woodhouse (Mar 14)
- Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere Steven M. Christey (Mar 14)
- Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere Josh Bressers (Mar 15)
  - Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere David Woodhouse (Mar 16)
    - Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere David King (Mar 16)
    - Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere David Woodhouse (Mar 16)
    - Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere Josh Bressers (Mar 16)
    - Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere David Woodhouse (Mar 16)
- Re: CVE Request / Discussion -- vino -- reports the desktop being reachable only over the local network, when reachable from everywhere Ludwig Nussel (Mar 16)