[AG-TECH] RealVNC Authentication Bypass
sievers at lanl.gov
Tue May 30 10:01:37 CDT 2006
I know a lot of folks are using RealVNC, just thought you might be
interested in this security vulnerability.....
>"Internet Security Systems Security Brief
>>May 25, 2006
>>RealVNC Authentication Bypass
>>During the second week of May, a RealVNC vulnerability was publicly
>>announced. This issue allows a remote attacker to obtain access to a
>>vulnerable system without authentication.
>>This week, our researchers detected active exploitation. This exploitation
>>indicates that attackers are connecting to vulnerable servers and gaining
>>unauthorized access (not simply probes for the vulnerability).
>>RealVNC Free Edition, Personal Edition, and Enterprise Edition could allow a
>>remote attacker to bypass authentication and gain unauthorized access to the
>>system. This is caused by the improper validation of the client
>>authentication method which could allow an attacker to successfully
>>authenticate to an affected system using the null authentication method.
>>RealVNC Ltd.: RealVNC Enterprise Edition 4.0 to 4.2.2
>>RealVNC Ltd.: RealVNC Free Edition 4.0 to 4.1.1
>>RealVNC Ltd.: RealVNC Personal Edition 4.0 to 4.2.2
>>On May 15th, RealVNC released patches, and customers were urged to upgrade to
>>version 4.1.2 of the Free Edition or version 4.2.3 of the Personal
>>Compromise of the application can lead to exposure of
>>confidential information, loss of productivity, and further network
>>compromise. Successful exploitation of this vulnerability could
>>be used to gain unauthorized access to networks and machines."
Cindy Sievers Los Alamos National Laboratory
sievers at lanl.gov Group CCS-1 MS B287
tel:505.665.6602 Advanced Computing
fax:505.665.4939 Los Alamos, NM 87544
More information about the ag-tech