1176733 – (CVE-2020-26117) VUL-0: CVE-2020-26117: tigervnc: certificate exceptions stored as authorities

Bug 1176733 (CVE-2020-26117) - VUL-0: CVE-2020-26117: tigervnc: certificate exceptions stored as authorities

Summary: VUL-0: CVE-2020-26117: tigervnc: certificate exceptions stored as authorities

Status:	RESOLVED FIXED

Alias:	CVE-2020-26117

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P2 - High Severity: Major
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/267932/
Whiteboard:	CVSSv3.1:SUSE:CVE-2020-26117:9.3:(AV:...
Keywords:

Depends on:
Blocks:	1160249
	Show dependency tree / graph

Clone This Bug

Reported:	2020-09-18 21:02 UTC by Andreas Stieger
Modified:	2024-01-09 15:02 UTC (History)
CC List:	8 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Stieger 2020-09-18 21:02:28 UTC

A security issue was discovered in tigernc related how the viewers handle TLS certificate exceptions. Tigervnc before 1.11.0 stored the certificates as authorities, meaning that the owner of that certificate could impersonate any server it wanted after a client had added an exception. Tigervnc 1.11.0 handles this properly by only storing exceptions for specific hostname/certificate combinations, as done by HTTP user agents or SSH.

References:
From https://github.com/TigerVNC/tigervnc/releases/tag/v1.11.0
https://github.com/TigerVNC/tigervnc/commit/b30f10c681ec87720cff85d490f67098568a9cba
https://github.com/TigerVNC/tigervnc/commit/20dea801e747318525a5859fe4f37c52b05310cb

Comment 2 Andreas Stieger 2020-09-22 02:43:08 UTC

There was no comment with the need info, clearing. What do you need?

Comment 3 Stefan Dirsch 2020-09-23 10:37:01 UTC

Ok. so no CRD since the fixes are already upstream? Although there is no CVE number updates are expected for sle and openSUSE and TW as usual, right?

Comment 4 Stefan Dirsch 2020-09-25 11:47:10 UTC

Fixed in devel project and submitted for Tumbleweed.

Comment 5 OBSbugzilla Bot 2020-09-25 12:20:07 UTC

This is an autogenerated message for OBS integration:
This bug (1176733) was mentioned in
https://build.opensuse.org/request/show/837392 Factory / tigervnc

Comment 6 Stefan Dirsch 2020-09-29 19:54:40 UTC

Meanwhile I also have fixes for sle15-sp1 and sle15, but things are getting difficult with sle12-sp4, where Java is too old and 
Base64 module is missing. :-(

[   55s] /home/abuild/rpmbuild/BUILD/tigervnc-1.6.0/java/com/tigervnc/rfb/CSecurityTLS.java:44: error: cannot find symbol
[   55s] import java.util.Base64;
[   55s]                 ^
[   55s]   symbol:   class Base64
[   55s]   location: package java.util

Comment 8 Petr Tesařík 2020-10-06 15:41:53 UTC

I believe you must use DatatypeConverter.printBase64Binary() instead of Base64.getEncoder().encodeToString(). Let me check...

Comment 13 Stefan Dirsch 2020-10-07 15:22:41 UTC

sle15/sle15-sp1 with CVE:
https://build.suse.de/request/show/228084
https://build.suse.de/request/show/228083

Comment 14 Swamp Workflow Management 2020-10-09 16:15:27 UTC

SUSE-SU-2020:2881-1: An update that fixes one vulnerability is now available.

Category: security (critical)
Bug References: 1176733
CVE References: CVE-2020-26117
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    tigervnc-1.6.0-22.17.1
SUSE OpenStack Cloud 9 (src):    tigervnc-1.6.0-22.17.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    tigervnc-1.6.0-22.17.1
SUSE Linux Enterprise Server 12-SP5 (src):    tigervnc-1.6.0-22.17.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    tigervnc-1.6.0-22.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 15 Swamp Workflow Management 2020-10-09 16:17:28 UTC

SUSE-SU-2020:2882-1: An update that fixes one vulnerability is now available.

Category: security (critical)
Bug References: 1176733
CVE References: CVE-2020-26117
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    tigervnc-1.8.0-13.14.1
SUSE Linux Enterprise Server 15-LTSS (src):    tigervnc-1.8.0-13.14.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    tigervnc-1.8.0-13.14.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    tigervnc-1.8.0-13.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 16 Swamp Workflow Management 2020-10-09 16:18:30 UTC

SUSE-SU-2020:2880-1: An update that fixes one vulnerability is now available.

Category: security (critical)
Bug References: 1176733
CVE References: CVE-2020-26117
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src):    tigervnc-1.9.0-19.9.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    tigervnc-1.9.0-19.9.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    tigervnc-1.9.0-19.9.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    tigervnc-1.9.0-19.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 17 Swamp Workflow Management 2020-10-13 13:15:19 UTC

openSUSE-SU-2020:1666-1: An update that fixes one vulnerability is now available.

Category: security (critical)
Bug References: 1176733
CVE References: CVE-2020-26117
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    tigervnc-1.9.0-lp152.7.3.1

Comment 18 Swamp Workflow Management 2020-10-13 16:19:03 UTC

SUSE-SU-2020:2898-1: An update that fixes one vulnerability is now available.

Category: security (critical)
Bug References: 1176733
CVE References: CVE-2020-26117
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    tigervnc-1.6.0-27.1
SUSE OpenStack Cloud 8 (src):    tigervnc-1.6.0-27.1
SUSE OpenStack Cloud 7 (src):    tigervnc-1.6.0-27.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    tigervnc-1.6.0-27.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    tigervnc-1.6.0-27.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    tigervnc-1.6.0-27.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    tigervnc-1.6.0-27.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    tigervnc-1.6.0-27.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    tigervnc-1.6.0-27.1
SUSE Enterprise Storage 5 (src):    tigervnc-1.6.0-27.1
HPE Helion Openstack 8 (src):    tigervnc-1.6.0-27.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 19 Wolfgang Frisch 2020-10-15 11:31:21 UTC

Released.

Comment 20 Swamp Workflow Management 2020-11-05 23:27:41 UTC

openSUSE-SU-2020:1841-1: An update that fixes one vulnerability is now available.

Category: security (critical)
Bug References: 1176733
CVE References: CVE-2020-26117
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    tigervnc-1.9.0-lp151.4.9.1