NoMachine privileges escalation vulnerability

Forum / General Discussions / NoMachine privileges escalation vulnerability

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • #7418
    Britgirl
    Participant

    To all NoMachine users,

    NoMachine makes available updated packages to prevent a vulnerability in one of the server utilities which could be exploited by authenticated users to gain local root privileges on Linux and Mac OS X hosts.

    We strongly recommend users upgrade their server installations to this release, 4.6.4. Although Enterprise Client is not impacted by this vulnerability, we advise users to also update their client installations. NX 3.5.0 is not affected.


    Supported Platforms

    Windows 32-bit/64-bit XP/Vista/7/8/8.1

    Mac OS X Intel 64-bit 10.5/10.6/10.7/10.8/10.9/10.10

    Linux 32-bit and 64-bit

    Red Hat Enterprise 4/5/6/7
    SLES 10/11
    Open SUSE 10.x/11.x/12.x/13.x
    Mandriva 2009/2010/2011
    Fedora Core 10/11/12/13/14/15/16/17/18/19/20/21
    Debian GNU Linux 4.0 Etch/5.0 Lenny/6.0 Squeeze/7.0 Wheezy/8.0 Jessie
    Ubuntu 8.04 Hardy Heron/8.10 Intrepid Ibex/9.04 Jaunty Jackalope/
    9.10 Karmic Koala/10.4 Lucid Lynx/10.10 Maverick Meerkat/11.04 Natty Narwhal/
    11.10 Oneiric Ocelot/12.04 Precise Pangolin/12.10 Quantal Quetzal/13.04 Raring Ringtail/
    13.10 Saucy Salamander/14.04 Trusty Tahr/14.10 Utopic Unicorn/15.04 Vivid Vervet

     

    Download NoMachine Packages

    You can download the latest packages suitable for your Operating System from the NoMachine Web site at the following URL:

    http://www.nomachine.com/download

    Customers with valid subscriptions should log in and download the “Update version” from their customer area.

    Automatic updates

    The automatic check for updates has been enabled since version 4.6.3 and is scheduled to check our repositories every two days.

    To update any of the NoMachine servers immediately:

    – Run the NoMachine GUI from your Programs Menu.

    – Click on ‘Preferences’ and ‘Updates’.

    – Then click on the ‘Check now’ button.

    To update the NoMachine Enterprise Client immediately:

    – Click on ‘Preferences’ and ‘Updates’.

    – Then click on the ‘Check now’ button.

    More information about the check for automatic updates is available here: https://www.nomachine.com/AR05M00847


    Manual package update

    Please follow the instructions to update your installation manually:

    On Windows:

    – Download and save the EXE file.
    – Double click on the NoMachine executable file.
    – As for the installation, the Setup Wizard will take you through all steps necessary for updating NoMachine.

    On Mac OS X:

    – Download and save the DMG file.
    – Double-click on the Disk Image to open it and double-click on the NoMachine program icon.
    – As for the installation, the Installer will take you through through all steps necessary for updating NoMachine.

    On Linux:

    You can use the graphical package manager provided by your Linux distribution or update NoMachine by command line by following instructions below.
    If you don’t have the sudo utility installed, log on as superuser (“root”) and run the commands without sudo.

    RPM

    – Download and save the RPM file.
    – Update your NoMachine installation by running:

    # rpm -Uvh <pkgName>_<pkgVersion>_<arch>.rpm

    DEB

    – Download and save the DEB file.
    – Update your NoMachine installation by running:

    $ sudo dpkg -i <pkgName>_<pkgVersion>_<arch>.deb

    TAR.GZ

    – Download and save the TAR.GZ file.
    – Update your NoMachine installation by running:

    $ cd /usr
    $ sudo tar xvzf <pkgName>_<pkgVersion>_<arch>.tar.gz
    $ sudo /usr/NX/nxserver –update

    If you are installing Enterprise Client or Node run respectively:

    $ sudo /usr/NX/nxclient –update
    $ sudo /usr/NX/nxnode –update

     

    Documents

    Installation and configuration guides for the NoMachine products are available at:

    http://www.nomachine.com/documents

    The NoMachine Security Team

    #7420
    esarmien
    Participant

    Hi NoMachine,

    I’m having trouble understanding this.

    Is this a vulnerability that exists on NoMachine servers which are running nxserver.bin and nxnode.bin? Is this a vulnerability that exists on Cloud Servers or Cloud Nodes? Or is this a vulnerability that only exists on hosts which have the non-enterprise client installed?

    Best,

    Evan

     

    #7436
    Britgirl
    Participant

    All NoMachine servers and nodes on Linux and Mac OS X hosts are affected and you are advised to update. So this means if you are running a Cloud Server, you need to update it; if you are running a Terminal Server Node, you need to update it; if you are running an Enterprise Desktop, you need to update it. Enterprise Client is not affected, but we recommend you update clients in order to keep versions aligned.

Viewing 3 posts - 1 through 3 (of 3 total)

This topic was marked as closed, you can't post.