Bug 191692

Summary: CVE-2006-2369 bypass authentication in vnc 4.1.1
Product: [Fedora] Fedora Reporter: Mark J. Cox <mjc>
Component: vncAssignee: Radek Vokál <rvokal>
Status: CLOSED CURRENTRELEASE QA Contact: David Lawrence <dkl>
Severity: urgent Docs Contact:
Priority: medium    
Version: 5CC: jens, redhat
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: public=20060508,impact=important,source=slashdot,reported=20060511
Fixed In Version: 4.1.1-38.fc5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-05-24 15:34:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mark J. Cox 2006-05-15 10:15:03 UTC 
It was reported that it was possible to bypass vnc authentication in version 4.1.1
http://www.intelliadmin.com/blog/2006/05/vnc-flaw-proof-of-concept.html

www.realvnc.com has released a version 4.1.2 to correct this flaw, but as of
today they haven't released the source code.  However a third party looked and
found what seems to be the problem:
http://marc.theaimsgroup.com/?l=vnc-list&m=114755444130188&w=2

I've verified that by altering a client in this way you are able to bypass
password authentication in vnc 4.1.1 but not in earlier versions as shipped in
Red Hat Enterprise Linux (their server connection souce code is different).

Update needed for FC4 and FC5
Comment 1 Fedora Update System 2006-05-16 17:48:10 UTC 
vnc-4.1.1-10.1.fc4 has been pushed for fc4, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.
Comment 2 Fedora Update System 2006-05-16 17:48:29 UTC 
vnc-4.1.1-37.fc5 has been pushed for fc5, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.
Comment 3 Jens Hoelldampf 2006-05-17 11:43:30 UTC 
Authentication seems to be broken for vnc-4.1.1-37.fc5/vnc-server-4.1.1-37.fc5,
no vnc connection possible at all:

- start "Xvnc :1"

- start "vncviewer :1" in another console
> [...]
> Wed May 17 13:40:36 2006
> CConn:       connected to host localhost port 5901
> CConnection: Server supports RFB protocol version 3.8
> CConnection: Using RFB protocol version 3.8
> main:        End of stream

- output of "Xvnc :1"
> Connections: accepted: 127.0.0.1::47730
> SConnection: Client needs protocol version 3.8
> SConnection: Client requests security type VncAuth(2)
> SConnection: unexpected security type
> Connections: closed: 127.0.0.1::47730 (unexpected security type)
Comment 4 Jitka Kozana 2006-05-22 11:35:23 UTC 
Please try with version 4.1.1-38.fc5, the problem should be fixed there.