RealVNC 4.1.1, and other products that use RealVNC such as AdderLink IP and Cisco CallManager, allows remote attackers to bypass authentication via a request in which the client specifies an insecure security type such as "Type 1 - None", which is accepted even if it is not offered by the server, as originally demonstrated using a long password.

.

Update (June 2006): We have created a vulnerability testing tool . It is free, and can be downloaded from here

Update (05/10/2006) – We have contacted the RealVNC team. Quickly they released a new version that fixed the security issue. If you are running WinVNC 4.1.1 I suggest you get to www.realvnc.com today and update your software.

Update (05/08/2006) – We have installed RealVNC 4.1.1 on as many fresh computers as possible. We wanted to make sure this is a real problem – indeed it is. Every single time we were able to access the machine without a valid password. We are still trying to see what is different about our viewer that exposes this flaw.

We are currently developing a new product that would allow users to remotely install VNC, and manage current VNC installations.

Our viewer is totally 100% new code that we created from the VNC spec and not from the open source Real VNC source tree.

I got a big surprise today when I was testing the viewer code: I was able to view the remote machine without the proper password!

It had to be some type of mistake, so I installed Real VNC 4.1.1 on a test machine:

I set the password to a really huge value that I could not have possibly left in our code by accident. Got back on the development machine and clicked connect:

Instantly I had a view of the remote machine!

I started to wonder how widespread this flaw was so I downloaded TightVNC, and UltraVNC. They are immune. Both of them reject my connection right away.

Then I downloaded RealVNC 4.0 and installed it on another fresh test machine. Same thing as Tight and Ultra – I get disconnected right away.

So it looks like a flaw is in the current RealVNC 4.1.1 authentication process. I am not going to give any clues as to what it is until I can figure it out totally, and promptly let the RealVNC team know so they can resolve the issue.

Please note that I have only tested this on the windows versions of the above software.

One more thing…Subscribe to my newsletter and get 11 free network administrator tools, plus a 30 page user guide so you can get the most out of them. Click Here to get your free tools

CVE-2006-2369: Security flaw in RealVNC 4.1.1

Cisco IOS 11.1(x) through 11.3(x) and 12.0(x) through 12.2(x), when configured for BGP routing, allows remote attackers to cause a denial of service (device reload) via malformed BGP (1) OPEN or (2) UPDATE messages.

**Overview**

Multiple implementations of the Border Gateway Protocol (BGP) contain vulnerabilities related to the processing of UPDATE and OPEN messages. The impacts of these vulnerabilities appear to be limited to denial of service.

**Description**

BGP (RFC 1771) is designed to exchange network reachability information between peer nodes. Information advertised by a BGP system to its peers includes timers, metrics, and paths to different Autonomous System (AS) networks. Routing between AS networks depends on BGP, and the Internet is a network of AS networks. Therefore, vulnerabilities in BGP have the potential to affect the Internet infrastructure.

Multiple BGP implementations contain vulnerabilities handling exceptional OPEN and UPDATE messages. While the details of the individual vulnerabilities are different, the impacts appear to be limited to denial of service. In addition, most BGP implementations do not accept messages from arbitrary sources. Some BGP implementations only accept TCP connections (179/tcp) from properly configured peers, and some implementations require a valid AS number in the BGP message data. To deliver malicious messages to such systems, an attacker would need to spoof a TCP connection or have access to a trusted BGP peer. The attacker may also need to know a valid AS number.

For information about specific BGP implementations, please see the Systems Affected section below.

**Impact**

A remote attacker can cause a denial of service in a vulnerable system. In most cases, the attacker would need to act as a valid BGP peer. BGP session instability can result in "flapping" and other routing problems that may adversely affect Internet traffic.

**Solution**

**Apply a patch or upgrade**  
Apply a patch or upgrade as specified by your vendor.

**Restrict BGP access**

Using access control lists (ACLs) and BGP configuration settings, restrict access to valid networks and BGP peers.

**Authenticate BGP messages**

TCP MD5 (RFC 2385), IPsec, and S-BGP provide cryptographic authentication of network connections and/or BGP messages. Various performance and key distribution issues are associated with these authentication methods.

**Use out-of-band management channels**

When possible, use an out-of-band channel, such as a separate network, to transmit BGP other management traffic.

**Vendor Information**

Filter by content: Additional information available

 Sort by:

  
**CVSS Metrics**

Group

Score

Vector

Base

Temporal

Environmental

  
**References****Acknowledgements**

These vulnerabilities were reported as a result of research done by Cisco. Thanks to Cisco for sharing this research and helping to coordinate the disclosure of information about these vulnerabilities.

This document was written by Art Manion.

**Other Information**

**CVE IDs:**

CVE-2004-0589

**Severity Metric:**

8.60

**Date Public:**

2004-06-16

**Date First Published:**

2004-06-16

**Date Last Updated:**

2004-06-28 16:09 UTC

**Document Revision:**

39

CVE-2004-0589: CERT/CC Vulnerability Note VU#784540

Denial of service in Cisco routers running NAT via a PORT command from an FTP client to a Telnet port.

CVE-1999-0843: IBM X-Force Exchange

Cisco Gigabit Switch routers running IOS allow remote attackers to forward unauthorized packets due to improper handling of the "established" keyword in an access list.

Tag

#cisco