I know a lot of folks are using RealVNC, just thought you might be interested in this security vulnerability.....
>"Internet Security Systems Security Brief >>May 25, 2006 >> >>RealVNC Authentication Bypass >> >>Summary: >> >>During the second week of May, a RealVNC vulnerability was publicly >>announced. This issue allows a remote attacker to obtain access to a >>vulnerable system without authentication. >> >>This week, our researchers detected active exploitation. This exploitation >>indicates that attackers are connecting to vulnerable servers and gaining >>unauthorized access (not simply probes for the vulnerability). >> >>Description: >> >>RealVNC Free Edition, Personal Edition, and Enterprise Edition could allow a >>remote attacker to bypass authentication and gain unauthorized access to the >>system. This is caused by the improper validation of the client >>authentication method which could allow an attacker to successfully >>authenticate to an affected system using the null authentication method. >> >>Affected Products: >> >>RealVNC Ltd.: RealVNC Enterprise Edition 4.0 to 4.2.2 >>RealVNC Ltd.: RealVNC Free Edition 4.0 to 4.1.1 >>RealVNC Ltd.: RealVNC Personal Edition 4.0 to 4.2.2 >> >>On May 15th, RealVNC released patches, and customers were urged to upgrade to >>version 4.1.2 of the Free Edition or version 4.2.3 of the Personal >>Edition/Enterprise Edition. >> >>Business Impact: >> >>Compromise of the application can lead to exposure of >>confidential information, loss of productivity, and further network >>compromise. Successful exploitation of this vulnerability could >>be used to gain unauthorized access to networks and machines." ============================================ Cindy Sievers Los Alamos National Laboratory siev...@lanl.gov Group CCS-1 MS B287 tel:505.665.6602 Advanced Computing fax:505.665.4939 Los Alamos, NM 87544 ============================================
