Red Hat Bugzilla – Bug 191692
CVE-2006-2369 bypass authentication in vnc 4.1.1
Last modified: 2007-11-30 17:11:32 EST
It was reported that it was possible to bypass vnc authentication in version 4.1.1
www.realvnc.com has released a version 4.1.2 to correct this flaw, but as of
today they haven't released the source code. However a third party looked and
found what seems to be the problem:
I've verified that by altering a client in this way you are able to bypass
password authentication in vnc 4.1.1 but not in earlier versions as shipped in
Red Hat Enterprise Linux (their server connection souce code is different).
Update needed for FC4 and FC5
vnc-4.1.1-10.1.fc4 has been pushed for fc4, which should resolve this issue. If these problems are still present in this version, then please make note of it in this bug report.
vnc-4.1.1-37.fc5 has been pushed for fc5, which should resolve this issue. If these problems are still present in this version, then please make note of it in this bug report.
Authentication seems to be broken for vnc-4.1.1-37.fc5/vnc-server-4.1.1-37.fc5,
no vnc connection possible at all:
- start "Xvnc :1"
- start "vncviewer :1" in another console
> Wed May 17 13:40:36 2006
> CConn: connected to host localhost port 5901
> CConnection: Server supports RFB protocol version 3.8
> CConnection: Using RFB protocol version 3.8
> main: End of stream
- output of "Xvnc :1"
> Connections: accepted: 127.0.0.1::47730
> SConnection: Client needs protocol version 3.8
> SConnection: Client requests security type VncAuth(2)
> SConnection: unexpected security type
> Connections: closed: 127.0.0.1::47730 (unexpected security type)
Please try with version 4.1.1-38.fc5, the problem should be fixed there.