RealVNC authentication bypass

realvnc-auth-bypass (26445)

High Risk

Description:

RealVNC Free Edition, Personal Edition, and Enterprise Edition could allow a remote attacker to bypass authentication and gain unauthorized access to the system. This is caused by the improper validation of the client authentication method which could allow an attacker to successfully authenticate to an affected system using the null authentication method.

Platforms Affected:

• Adder Technology, AdderLink IP prior to 3.3
• RealVNC, RealVNC 4.0 - 4.2.2 Personal
• RealVNC, RealVNC 4.0 - 4.2.2 Enterprise
• RealVNC, RealVNC 4.1.0 Free
• RealVNC, RealVNC 4.1.1 Free

Remedy:

Upgrade to the latest version of RealVNC Free Edition, Personal Edition or Enterprise Edition, available from the RealVNC Web site. See References.

For AdderLink IP:
Upgrade to the latest firmware version (3.3 or later), available from the Adder Web site. See References.

Consequences:

Gain Access

References:

• Adder Web site, Adder Announces version 3.3 AdderLink IP Firmware at http://news.adder.com/article_36.asp.
• Cisco Security Response 2006 June 22 1530 UTC (GMT), RealVNC Remote Authentication Bypass Vulnerability at http://www.cisco.com/en/US/products/hw/voiceapp/ps967/tsd_products_security_response09186a00806c4c31.html.
• Full-Disclosure Mailing List, Mon May 15 2006 - 03:56:43 CDT, RealVNC 4.1.1 Remote Compromise at http://archives.neohapsis.com/archives/fulldisclosure/2006-05/0356.html.
• IntelliAdmin Blog 5/8/2006, Security flaw in RealVNC 4.1.1 at http://www.intelliadmin.com/blog/2006/05/security-flaw-in-realvnc-411.html.
• Internet Security Systems Protection Alert May 25, 2006, RealVNC Authentication Bypass at http://xforce.iss.net/xforce/alerts/id/222.
• RealVNC Web site, VNC Personal Edition 4.2 - Release Notes at http://www.realvnc.com/products/personal/4.2/release-notes.html.
• RealVNC Web site, VNC Downloads at http://www.realvnc.com/download.html.
• RealVNC Web site, VNC 4.1 - Release Notes at http://www.realvnc.com/products/free/4.1/release-notes.html.
• RealVNC Web site, VNC Enterprise Edition 4.2 - Release Notes at http://www.realvnc.com/products/enterprise/4.2/release-notes.html.
• BID-17978: RealVNC Remote Authentication Bypass Vulnerability
• BID-18001: AdderLink IP Unspecified Vulnerability
• CVE-2006-2369: RealVNC 4.1.1, and other products that use RealVNC such as AdderLink IP and Cisco CallManager, allows remote attackers to bypass authentication via a request in which the client specifies an insecure security type such as Type 1 - None, which is accepted even if it is not offered by the server, as originally demonstrated using a long password.
• OSVDB ID: 25479: RealVNC Remote Password Authentication Bypass
• SA20107: RealVNC Password Authentication Bypass Vulnerability
• SA20109: AdderLink IP Unspecified VNC Vulnerability
• SA20789: Cisco Products RealVNC Password Authentication Bypass
• SECTRACK ID: 1016083: RealVNC May Let Remote Users Connect Without Authenticating
• US-CERT VU#117929: RealVNC Server does not validate client authentication method
• VUPEN/ADV-2006-1790: RealVNC Remote Authentication Bypass and Unauthorized Access Vulnerability
• VUPEN/ADV-2006-1821: AdderLink IP Security Update Fixes VNC Authentication Bypass Vulnerability
• VUPEN/ADV-2006-2492: Cisco CallManager Security Update Fixes RealVNC Authentication Bypass Vulnerability

Reported:

May 08, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page