The handlers have been discussing and investigating reports forwarded by many of our readers regarding the disclosure of an authentication bypass specifically affecting version 4.1.1 of the RealVNC product. Because we have been unable confirm the vulnerability we had chosen to hold back on posting on this specifically to avoid spreading FUD (Which I personally seem to have an unfortunate penchant for doing). Considering the fact that we are receiving the kind and welcome forwarding of this disclosure from so many avid readers and the inherent risk that this may pose due to the perceived considerable deployment base of VNC products it would be reasonable to think that many installations are exposed, unprotected and potentially vulnerable on the public internet. We've chosen to post this here for awareness and to enable a larger audience to evaluate their own risk levels associated with this issue.
We have reached out to the disclosure point of contact at IntelliAdmin and are awaiting a response so that we can independantly confirm this vulnerabiltiy with them directly and remove the concern of this being primarily hearsay. The IntelliAdmin website boasts a PoC to test whether your installation is vulnerable, but is conveniently unavailable due to the statement that the Slashdotting of the site was overloading the test.
The RealVNC website at http://www.realvnc.com does not yet acknowledge this vulnerability, and with version 4.1.1 being the current release, I personally offer up employing either network ACL's to prevent arbitrary access from the internet or configuring the application level ACL's to allow only specific endpoints to connect to your VNC services.
Beyond that, Keep in mind, this is reported to be a remote access authentication bypass and not to be confused with buffer overflow, associated with direct OS privileged access. I would hope that the successful result of someone successfully abusing this flaw would result only in the remote viewing of the MS Gina login prompt. An attacker would still have to brute force authentication credentials. After all, your VNC instances are configured to automatically lock the screen after disconnect and allow only a single user to be connected, am I right?
The disclosure is covered in a blog available at the following URL:
We'll keep you posted as this develops.
Handler on Duty!
May 12th 2006
1 decade ago