Deskflow Denial-of-Service Vulnerability in TLS Handshake Processing

A denial-of-service vulnerability has been identified in Deskflow, a keyboard and mouse sharing application, affecting versions prior to 1.26.0.167. The issue arises on servers with TLS enabled, which is the default configuration. When a TCP peer connects and the initial bytes do not constitute a valid TLS ClientHello, the SecureSocket::secureAccept function enters a fatal-error state. This triggers a blocking one-second sleep on the multiplexer worker thread, which manages all server sockets. As a result, input delivery from established TLS clients is halted for approximately one second, causing noticeable lag in mouse and keyboard input. Sustained attacks with malformed connections can render the server effectively unusable. The vulnerability does not affect clients or servers with TLS disabled.

Impact

Exploitation of this vulnerability causes a significant disruption in service, with the server stalling input delivery from all connected clients for one second per failed TLS handshake. This leads to a noticeable degradation of user experience, with mouse movements stuttering and keystrokes lagging. Such disruptions can be compounded under sustained attack, where the server becomes increasingly unresponsive.

Reproduction

The vulnerability can be reproduced by sending malformed connections to a Deskflow server with TLS enabled, on the default listening port of 24800. This can be done using a proof-of-concept script available in the Deskflow repository, which automates the process of sending such connections and measuring the resulting impact on the server's responsiveness.

Remediation

Users can upgrade to Deskflow version 1.26.0.167 or later, where this vulnerability has been fixed. If an immediate upgrade is not possible, the server can be bound to trusted interfaces or the listening port can be firewalled to restrict access to intended client IPs. Disabling TLS is also an option, but not recommended due to the loss of encryption, and should only be considered on a fully trusted network.