Opened 11 years ago
Closed 11 years ago
#11745 closed defect (fixed)
VRDP (RDP) server not enforcing specified encryption => Fixed in SVN
| Reported by: | rshaw | Owned by: | |
|---|---|---|---|
| Component: | RDP | Version: | VirtualBox 4.2.12 |
| Keywords: | RDP encryption VRDP server | Cc: | |
| Guest type: | all | Host type: | Linux |
Description
I filed this as a blocker as this is a major security vulnerability.
Following the directions described here, I have generated certificates using openssl and have instructed VirtualBox to use those certificates for a specified VM.
openssl req -new -x509 -days 365 -extensions v3_ca \ -keyout ca_key_private.pem -out ca_cert.pem
openssl genrsa -out server_key_private.pem
openssl req -new -key server_key_private.pem -out server_req.pem
openssl x509 -req -days 365 -in server_req.pem \ -CA ca_cert.pem -CAkey ca_key_private.pem -set_serial 01 -out server_cert.pem
vboxmanage modifyvm "TestVM" --vrdeproperty "Security/Method=TLS"
vboxmanage modifyvm "TestVM" \ --vrdeproperty "Security/CACertificate=/home/ryan/rdp/ca_cert.pem"
vboxmanage modifyvm "TestVM" \ --vrdeproperty "Security/ServerCertificate=/home/ryan/rdp/server_cert.pem"
vboxmanage modifyvm "TestVM" \ --vrdeproperty "Security/ServerPrivateKey=/home/ryan/rdp/server_key_private.pem"
vboxmanage showvminfo confirms these settings are set
vboxmanage showvminfo "TestVM"
... VRDE property: TCP/Ports = "5000-5049" VRDE property: TCP/Address = <not set> VRDE property: VideoChannel/Enabled = <not set> VRDE property: VideoChannel/Quality = <not set> VRDE property: VideoChannel/DownscaleProtection = <not set> VRDE property: Client/DisableDisplay = <not set> VRDE property: Client/DisableInput = <not set> VRDE property: Client/DisableAudio = <not set> VRDE property: Client/DisableUSB = <not set> VRDE property: Client/DisableClipboard = <not set> VRDE property: Client/DisableUpstreamAudio = <not set> VRDE property: Client/DisableRDPDR = <not set> VRDE property: H3DRedirect/Enabled = <not set> VRDE property: Security/Method = "TLS" VRDE property: Security/ServerCertificate = "/home/ryan/rdp/server_cert.pem" VRDE property: Security/ServerPrivateKey = "/home/ryan/rdp/server_key_private.pem" VRDE property: Security/CACertificate = "/home/ryan/rdp/ca_cert.pem" VRDE property: Audio/RateCorrectionMode = <not set> ...
Start the VM, and try to connect to the RDP session with rdesktop-vrdp
rdesktop-vrdp localhost:5000
No prompts are received about trusting any certificates - the session simply connects.
Confirming this:
vboxmanage showvminfo "TestVM" --details
... VRDE Connection: active Clients so far: 6 Start time: 2013/04/23 14:12:25 UTC Sent: 0 Bytes Average speed: 0 B/s Sent total: 0 Bytes Received: 0 Bytes Speed: 0 B/s Received total: 0 Bytes User name: Domain: Client name: Client IP: Client version: 0 Encryption: RDP4 ...
Note the encryption is specified as RDP4, NOT TLS as requested. The first command issued, --vrdeproperty "Security/Method=TLS" states:
TLS - only Enhanced RDP Security is accepted. The client must support TLS.
This is not being enforced.
Change History (3)
comment:1 by , 11 years ago
comment:2 by , 11 years ago
| Summary: | VRDP (RDP) server not enforcing specified encryption → VRDP (RDP) server not enforcing specified encryption => Fixed in SVN |
|---|
Note:
See TracTickets
for help on using tickets.
Right, this option did not work as documented.
Here is a new build: http://www.virtualbox.org/download/testcase/Oracle_VM_VirtualBox_Extension_Pack-4.2.13-85232.vbox-extpack
Now it should behave as described in the manual. Thanks.