Vino VNC Server Remote Persistent DoS Vulnerability

Last week, I was making some performance enhancements to theVNC protocol implementations in the TrustKeeper Scanning Engine. Unfortunately, in my mission to "Go Fast!", Imanaged to trigger a Denial of Service (DoS) vulnerability in Vino. Vino is the VNC server for the GNOME desktopenvironment and also happens be to the default VNC server for popular Linuxdistributions like Ubuntu.

Shortly after finding the vulnerability, we reached out to theGNOME project and the security team there was nothing short of awesome for us to workwith. They patched the vulnerability thesame day (link)and they notified the major Linux distributions with a fix the day after (link).

The vulnerability should be fixed in Vino 3.9.92 (and 3.8.2if there is a future release in the 3.8 branch). At the time of this writing, it doesn'tappear that the patch has made it's way down to the Ubuntu distribution justyet, but I hope it will be there and in other distributions very soon.

If you want more details about the vulnerability, including PoC code, please see our detailed advisory.

***UPDATE – October 2, 2013***

Ubuntu released USN-1980to address this vulnerability on September 30th, 2013.


Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.