Headline
CVE-2006-2369: Security flaw in RealVNC 4.1.1
RealVNC 4.1.1, and other products that use RealVNC such as AdderLink IP and Cisco CallManager, allows remote attackers to bypass authentication via a request in which the client specifies an insecure security type such as "Type 1 - None", which is accepted even if it is not offered by the server, as originally demonstrated using a long password.
.
Update (June 2006): We have created a vulnerability testing tool . It is free, and can be downloaded from here
Update (05/10/2006) – We have contacted the RealVNC team. Quickly they released a new version that fixed the security issue. If you are running WinVNC 4.1.1 I suggest you get to www.realvnc.com today and update your software.
Update (05/08/2006) – We have installed RealVNC 4.1.1 on as many fresh computers as possible. We wanted to make sure this is a real problem – indeed it is. Every single time we were able to access the machine without a valid password. We are still trying to see what is different about our viewer that exposes this flaw.
We are currently developing a new product that would allow users to remotely install VNC, and manage current VNC installations.
Our viewer is totally 100% new code that we created from the VNC spec and not from the open source Real VNC source tree.
I got a big surprise today when I was testing the viewer code: I was able to view the remote machine without the proper password!
It had to be some type of mistake, so I installed Real VNC 4.1.1 on a test machine:
I set the password to a really huge value that I could not have possibly left in our code by accident. Got back on the development machine and clicked connect:
Instantly I had a view of the remote machine!
I started to wonder how widespread this flaw was so I downloaded TightVNC, and UltraVNC. They are immune. Both of them reject my connection right away.
Then I downloaded RealVNC 4.0 and installed it on another fresh test machine. Same thing as Tight and Ultra – I get disconnected right away.
So it looks like a flaw is in the current RealVNC 4.1.1 authentication process. I am not going to give any clues as to what it is until I can figure it out totally, and promptly let the RealVNC team know so they can resolve the issue.
Please note that I have only tested this on the windows versions of the above software.
One more thing…Subscribe to my newsletter and get 11 free network administrator tools, plus a 30 page user guide so you can get the most out of them. Click Here to get your free tools