NX Server nxconfigure.sh Command Injection
by: Silvia Regis
Rome, Italy, August 5, 2011 -
A bug has been found in the nxconfigure.sh script, the SUIDed script
used by NX Server Manager to handle the server configuration.
This script could be executed by any user from the command line to execute arbitray commands on the system.
A workaround has been provided in the Trouble Report we have opened as severity "Critical":
to the possible command injection vulnerability arising from this
problem, it is strongly advised to upgrade the NX Server and NX Node
installations to the following versions: NX Node 3.5.0-4 and NX Server 3.5.0-5.
The NoMachine Security Team