Bug#1106527: gnome-remote-desktop: CVE-2025-5024: DoS via resource exhaustion

[Simon McVittie]

Control: retitle -1 gnome-remote-desktop: CVE-2025-5024: DoS via resource exhaustion
Control: forwarded -1 https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/merge_requests/321

On Sun, 25 May 2025 at 16:13:13 +0200, Salvatore Bonaccorso forwarded:
>| A flaw was found in gnome-remote-desktop. Once gnome-remote-desktop
>| listens for RDP connections, an unauthenticated attacker can exhaust
>| system resources and repeatedly crash the process. There may be a
>| resource leak after many attacks, which will also result in gnome-
>| remote-desktop no longer being able to open files even after it is
>| restarted via systemd.

I don't think this is a showstopper for trixie: it allows an attacker on 
the local LAN to cause a denial of service via resource exhaustion, but 
it seems like it's only a denial of service and not something more 
serious, and it's only exploitable by an attacker who can contact the 
remote desktop server's RDP port. That's contrary to g-r-d's intended 
security model, hence a CVE, but I wouldn't want to expose a protocol as 
powerful as RDP onto untrusted networks *anyway*.

The typical use-case that I would expect for gnome-remote-desktop is 
that a Debian GNOME desktop system enables gnome-remote-desktop, and a 
client system on the same LAN (Debian or not, and GNOME or not) 
remote-controls that system via a RDP client.

A mitigation is to firewall the desktop system (firewalld or similar) so 
that RDP is only exposed when on a trusted or at least mostly-trusted 
WLAN, or to only enable gnome-remote-desktop temporarily when it is 
needed and disable it afterwards.

There is a merge request open upstream (linked above) but it hasn't been 
merged and has some known issues, and it's a significant code change (it 
adds a complete implementation of connection counting and throttling).

     smcv