Forum / General Discussions / NoMachine privileges escalation vulnerability
- This topic has 2 replies, 2 voices, and was last updated 9 years, 6 months ago by Britgirl.
-
AuthorPosts
-
June 10, 2015 at 11:49 #7418BritgirlKeymaster
To all NoMachine users,
NoMachine makes available updated packages to prevent a vulnerability in one of the server utilities which could be exploited by authenticated users to gain local root privileges on Linux and Mac OS X hosts.
We strongly recommend users upgrade their server installations to this release, 4.6.4. Although Enterprise Client is not impacted by this vulnerability, we advise users to also update their client installations. NX 3.5.0 is not affected.
Supported PlatformsWindows 32-bit/64-bit XP/Vista/7/8/8.1
Mac OS X Intel 64-bit 10.5/10.6/10.7/10.8/10.9/10.10
Linux 32-bit and 64-bit
Red Hat Enterprise 4/5/6/7
SLES 10/11
Open SUSE 10.x/11.x/12.x/13.x
Mandriva 2009/2010/2011
Fedora Core 10/11/12/13/14/15/16/17/18/19/20/21
Debian GNU Linux 4.0 Etch/5.0 Lenny/6.0 Squeeze/7.0 Wheezy/8.0 Jessie
Ubuntu 8.04 Hardy Heron/8.10 Intrepid Ibex/9.04 Jaunty Jackalope/
9.10 Karmic Koala/10.4 Lucid Lynx/10.10 Maverick Meerkat/11.04 Natty Narwhal/
11.10 Oneiric Ocelot/12.04 Precise Pangolin/12.10 Quantal Quetzal/13.04 Raring Ringtail/
13.10 Saucy Salamander/14.04 Trusty Tahr/14.10 Utopic Unicorn/15.04 Vivid VervetDownload NoMachine Packages
You can download the latest packages suitable for your Operating System from the NoMachine Web site at the following URL:
http://www.nomachine.com/download
Customers with valid subscriptions should log in and download the “Update version” from their customer area.
Automatic updates
The automatic check for updates has been enabled since version 4.6.3 and is scheduled to check our repositories every two days.
To update any of the NoMachine servers immediately:
– Run the NoMachine GUI from your Programs Menu.
– Click on ‘Preferences’ and ‘Updates’.
– Then click on the ‘Check now’ button.
To update the NoMachine Enterprise Client immediately:
– Click on ‘Preferences’ and ‘Updates’.
– Then click on the ‘Check now’ button.
More information about the check for automatic updates is available here: https://www.nomachine.com/AR05M00847
Manual package updatePlease follow the instructions to update your installation manually:
On Windows:
– Download and save the EXE file.
– Double click on the NoMachine executable file.
– As for the installation, the Setup Wizard will take you through all steps necessary for updating NoMachine.On Mac OS X:
– Download and save the DMG file.
– Double-click on the Disk Image to open it and double-click on the NoMachine program icon.
– As for the installation, the Installer will take you through through all steps necessary for updating NoMachine.On Linux:
You can use the graphical package manager provided by your Linux distribution or update NoMachine by command line by following instructions below.
If you don’t have the sudo utility installed, log on as superuser (“root”) and run the commands without sudo.RPM
– Download and save the RPM file.
– Update your NoMachine installation by running:# rpm -Uvh <pkgName>_<pkgVersion>_<arch>.rpm
DEB
– Download and save the DEB file.
– Update your NoMachine installation by running:$ sudo dpkg -i <pkgName>_<pkgVersion>_<arch>.deb
TAR.GZ
– Download and save the TAR.GZ file.
– Update your NoMachine installation by running:$ cd /usr
$ sudo tar xvzf <pkgName>_<pkgVersion>_<arch>.tar.gz
$ sudo /usr/NX/nxserver –updateIf you are installing Enterprise Client or Node run respectively:
$ sudo /usr/NX/nxclient –update
$ sudo /usr/NX/nxnode –updateDocuments
Installation and configuration guides for the NoMachine products are available at:
http://www.nomachine.com/documents
The NoMachine Security Team
June 11, 2015 at 10:48 #7420esarmienParticipantHi NoMachine,
I’m having trouble understanding this.
Is this a vulnerability that exists on NoMachine servers which are running nxserver.bin and nxnode.bin? Is this a vulnerability that exists on Cloud Servers or Cloud Nodes? Or is this a vulnerability that only exists on hosts which have the non-enterprise client installed?
Best,
Evan
June 11, 2015 at 10:54 #7436BritgirlKeymasterAll NoMachine servers and nodes on Linux and Mac OS X hosts are affected and you are advised to update. So this means if you are running a Cloud Server, you need to update it; if you are running a Terminal Server Node, you need to update it; if you are running an Enterprise Desktop, you need to update it. Enterprise Client is not affected, but we recommend you update clients in order to keep versions aligned.
-
AuthorPosts
This topic was marked as closed, you can't post.