A security release is now available that fixes a critical security issue in ThinLinc’s browser-based web client, Web Access. This release is available for all supported versions of ThinLinc, meaning ThinLinc 4.15.0 through 4.20.0. More details about the upgrade process can be found in this post:
https://community.thinlinc.com/t/1983
The vulnerability allowed any user with access to the system to impersonate any other user, including the root user.
A multi-step authentication was required to exploit this vulnerability. E.g. one-time passwords, a login banner, or an expired password. A single-step username and password authentication was not sufficient to trigger the issue.
If an upgrade is not immediately possible, the vulnerability can be mitigated by disabling the ThinLinc Web Access service by running:
$ sudo systemctl disable --now tlwebaccess.service
Until upgrading, the service should be disabled on all machines in the ThinLinc cluster.
The security release can be downloaded directly from our web page at:
This issue was discovered by our partner Cosmikal S.L.