CVE-2024-5148
📋 TL;DR
This vulnerability in gnome-remote-desktop allows unauthorized users on the system to access the RDP TLS certificate and key during the login screen to user session transition. Attackers can then take control of RDP client connections. This affects systems running gnome-remote-desktop with RDP enabled.
💻 Affected Systems
- gnome-remote-desktop
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Malicious local user gains full control over RDP sessions, potentially intercepting credentials and data, and establishing persistent access to compromised systems.
Likely Case
Local attackers with user access can hijack RDP sessions during login transitions, leading to unauthorized access to user sessions and potential credential theft.
If Mitigated
With proper access controls and monitoring, impact is limited to isolated session compromise that can be detected and terminated.
🎯 Exploit Status
Requires local access to the system and knowledge of D-Bus methods. Exploitation involves manipulating session agent validation during login transitions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check distribution-specific updates (e.g., Red Hat, Ubuntu)
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2024-5148
Restart Required: Yes
Instructions:
1. Update gnome-remote-desktop package via your distribution's package manager. 2. Restart the gnome-remote-desktop service or reboot the system.
🔧 Temporary Workarounds
Disable gnome-remote-desktop RDP
linuxTemporarily disable RDP functionality to prevent exploitation
sudo systemctl stop gnome-remote-desktop
sudo systemctl disable gnome-remote-desktop
Restrict D-Bus access
linuxLimit D-Bus method access to authorized users only
sudo chmod 750 /usr/share/dbus-1/system-services/org.gnome.RemoteDesktop.service
sudo systemctl reload dbus
🧯 If You Can't Patch
- Disable gnome-remote-desktop service completely if RDP is not required
- Implement strict access controls to limit local user privileges and monitor for suspicious D-Bus activity
🔍 How to Verify
Check if Vulnerable:
Check gnome-remote-desktop version and compare against patched versions for your distributionCheck Version:
gnome-remote-desktop --version or rpm -q gnome-remote-desktop or dpkg -l gnome-remote-desktopVerify Fix Applied:
Verify package version is updated and service is running with latest patches📡 Detection & Monitoring
Log Indicators:
- Unusual D-Bus method calls related to session agent validation
- Multiple failed RDP session transitions
- Unauthorized access attempts to RDP certificate files
Network Indicators:
- Unexpected RDP session hijacking or connection anomalies
SIEM Query:
source="systemd" AND process="gnome-remote-desktop" AND (event="dbus-method-call" OR event="certificate-access")