Bug 1048274 (CVE-2017-11171)

Summary: VUL-1: CVE-2017-11171: gnome-session: Bad reference counting in the context of accept_ice_connection() ingsm-xsmp-server.c in old versions of gnome-session up until version 2.29.92allows a local attacker to establish ICE connections to gn
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low CC: matthias.gerstner, meissner, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/188314/
Whiteboard: CVSSv2:SUSE:CVE-2017-11171:2.1:(AV:L/AC:L/Au:N/C:N/I:N/A:P) CVSSv3:SUSE:CVE-2017-11171:4.0:(AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVSSv3:RedHat:CVE-2017-11171:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVSSv2:NVD:CVE-2017-11171:4.9:(AV:L/AC:L/Au:N/C:N/I:N/A:C)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: PoC program

Description Marcus Meissner 2017-07-12 06:48:27 UTC 
CVE-2017-11171

Bad reference counting in the context of accept_ice_connection() in
gsm-xsmp-server.c in old versions of gnome-session up until version 2.29.92
allows a local attacker to establish ICE connections to gnome-session with
invalid authentication data (an invalid magic cookie). Each failed
authentication attempt will leak a file descriptor in gnome-session. When the
maximum number of file descriptors is exhausted in the gnome-session process, it
will enter an infinite loop trying to communicate without success, consuming
100% of the CPU. The graphical session associated with the gnome-session process
will stop working correctly, because communication with gnome-session is no
longer possible.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11171
https://github.com/GNOME/gnome-session/commit/b0dc999e0b45355314616321dbb6cb71e729fc9d
Comment 1 Matthias Gerstner 2017-07-12 07:47:56 UTC 
Created attachment 732063 [details]
PoC program
Comment 2 Matthias Gerstner 2017-07-12 08:11:31 UTC 
We've found this bug while testing the PoC for bug 1025068.

QA reproducer: The program in attachment 732063 [details] reliably triggers the issue.

Requires xorg-x11-libICE-devel installed.

Compile like this:

> gcc -oice_dos ice_dos.c -g -O2 -lICE

Run the Poc:

> # Remove any old ICE sockets:
> rm /tmp/.ICE-unix
> # Restart X server:
> rcxdm restart
> # Before continuing, log in with a regular user into X, using gnome desktop.
> # At this point only a single socket should remain in /tmp/.ICE-unix.
> #
> # Running the PoC should stall after about ~1000 authentication attempts
> ./ice_dos

In this state you should see in `top` that the gnome-session process is
consuming 100 % CPU.

After the bugfix the PoC should exist after 1024 attempts, gnome-session
should continue functioning normally.
Comment 3 Matthias Gerstner 2017-07-12 08:22:42 UTC 
This affects codestream SLE-11-SP1:Update.

I've made a preliminal bugfix in my branched packet in

  home:mgerstner:branches:SUSE:SLE-11-SP1:Update/gnome-session

There I've simply applied the commit that worked over the implementation of
the whole libICE business. Maybe you can take the same approach for the
maintenance update.
Comment 4 Felix Zhang 2017-07-31 14:51:06 UTC 
Thanks, pushed the fix to SUSE:SLE-11-SP1:Update with but a bit word twisting in changelogs:
https://build.suse.de/request/show/136605
Comment 6 Swamp Workflow Management 2017-08-16 13:07:29 UTC 
SUSE-SU-2017:2173-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1048274
CVE References: CVE-2017-11171
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    gnome-session-2.28.0-3.11.12.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    gnome-session-2.28.0-3.11.12.2
Comment 7 Marcus Meissner 2017-10-25 19:03:33 UTC 
released