Skip to content

Implement client identity verification [SECURITY VULNERABILITIES CVE-2021-42072, CVE-2021-42073]#1346

Merged
p12tic merged 13 commits intodebauchee:masterfrom
p12tic:client-identity-verification
Nov 1, 2021
Merged

Implement client identity verification [SECURITY VULNERABILITIES CVE-2021-42072, CVE-2021-42073]#1346
p12tic merged 13 commits intodebauchee:masterfrom
p12tic:client-identity-verification

Conversation

@p12tic
Copy link
Copy Markdown
Member

@p12tic p12tic commented Nov 1, 2021

This PR implements client identity verification. Essentially server gets the same process of accepting and rejecting clients like the clients can accept or reject the server. This is important because even though the client can't move the mouse on the server, it can still receive input and potentially set the clipboard.

This PR fixes the following security vulnerabilities:

  • CVE-2021-42072 server does not verify client identity (certificate fingerprint)
  • CVE-2021-42073 By guessing/listening in on valid client names server clipboard content can be manipulated.

The issues have been reported by Matthias Gerstner mgerstner@suse.de @mgerstner. Matthias also provided insights into how best to fix the issues, precise reproduction steps and any used tools and made the maintainer's life as pleasant as possible. Thank you!

p12tic added 13 commits November 1, 2021 04:50
@p12tic
lib/net: Load client SSL certificates when connecting
c0ce893
@p12tic
gui: Move SSL fingerprint labels out of server frame
92ba6f6 
SSL fingerprints will be used to auth both server and client.
@p12tic
lib/net: Present client certificate when connecting to server
4d73ed9
@p12tic
gui: Expand checkboxes in settings dialog through both grid columns
ed32e2e
@p12tic
gui: Add configuration for requiring client certificates
8bc280e
@p12tic
lib/net: Don't hardcode fingerprint DB path in verify_cert_fingerprint()
133e447
@p12tic
lib/net: Improve name of showCertificate() to reflect what it does
82b8fa9
@p12tic
lib/net: Use enum for connection security level instead of boolean
5c7d719
@p12tic
lib/net: Pass connection security level to within socket classes
57769cf
@p12tic
gui: Fix fingerprint database being not populated due to missing dirs
e79bdf3
@p12tic
Implement client identity verification
229abab 
This commit fixes two security vulnerabilities: CVE-2021-42072 and
CVE-2021-42073.

The issues have been reported by Matthias Gerstner <mgerstner@suse.de>.
@p12tic
gui: Extract barrier type to separate enum
165100a
@p12tic
gui: Improve formatting of the fingerprint acceptance dialog
7cacbd1
@p12tic p12tic changed the title Implement client identity verification [SECURITY VULNERABILITY CVE-2021-42072, CVE-2021-42073] Implement client identity verification [SECURITY VULNERABILITIES CVE-2021-42072, CVE-2021-42073] Nov 1, 2021
@p12tic p12tic merged commit b5adc93 into debauchee:master Nov 1, 2021
@p12tic p12tic deleted the client-identity-verification branch November 1, 2021 03:15
@ghost ghost mentioned this pull request Nov 10, 2021
Merged
@sithlord48 sithlord48 mentioned this pull request Nov 29, 2024
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@p12tic