{"vuid":"VU#117929","idnumber":"117929","name":"RealVNC Server does not validate client authentication method","keywords":["RealVNC","authentication bypass","authentication session","VNC"],"overview":"The RealVNC Server fails to properly authenticate clients. This may allow a remote attacker to bypass authentication and gain access to the VNC server.","clean_desc":"The Virtual Network Computing (VNC) Protocol According to RealVNC, \"The VNC protocol is a simple protocol for remote access to graphical user interfaces.\" RealVNC RealVNC is an implementation of the VNC protocol. The Problem The RealVNC Server fails to properly authenticate clients. When a RealVNC client connects to a RealVNC server, the server provides a list of supported authentication methods. By design, the client then selects a method from the list. Due to an implementation flaw, if the client specifies that no (null) authentication should be used, the server accepts this method and authenticates the client, whether or not null authentication was offered by the server. Note that exploit code for this vulnerability is publicly available.","impact":"A remote, unauthenticated attacker could gain access to a system running RealVNC server. If the RealVNC server runs with administrative privileges, the attacker could gain complete control of the system.","resolution":"Upgrade\nThis issue is corrected in RealVNC version 4.1.2, RealVNC Personal Edition 4.2.3, and RealVNC Enterprise Edition 4.2.3. Refer to the RealVNC Downloads site to get a patched version.","workarounds":"Prompt Local Users to Accept Connections Until updates can be applied, selecting the Prompt local user to accept connections option may prevent attackers from gaining a VNC session by exploiting this vulnerability. See the authentication section of the RealVNC user guide for more information.","sysaffected":"","thanks":"This vulnerability was reported by James Evans.","author":"This document was written by Jeff Gennari.","public":["http://www.realvnc.com/howitworks.html","http://www.realvnc.com/products/free/4.1/winvnc.html#Security","http://www.realvnc.com/products/free/4.1/release-notes.html","http://www.realvnc.com/products/personal/4.2/release-notes.html","http://www.realvnc.com/products/enterprise/4.2/release-notes.html","http://marc.theaimsgroup.com/?l=bugtraq&m=114771408013890&w=2"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2006-05-15T20:10:10Z","publicdate":"2006-05-15T00:00:00Z","datefirstpublished":"2006-05-16T14:20:39Z","dateupdated":"2008-02-26T14:09:29Z","revision":47,"vrda_d1_directreport":"0","vrda_d1_population":"3","vrda_d1_impact":"3","cam_widelyknown":"20","cam_exploitation":"10","cam_internetinfrastructure":"3","cam_population":"11","cam_impact":"14","cam_easeofexploitation":"20","cam_attackeraccessrequired":"16","cam_scorecurrent":"30.492","cam_scorecurrentwidelyknown":"30.492","cam_scorecurrentwidelyknownexploited":"39.732","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":30.492,"vulnote":null}