Your message dated Sun, 29 Oct 2006 10:23:04 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Bug#395809: vnc4 authentication bypass
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: vnc4
Version: 4.1.1+X4.3.0-19
Severity: grave
Tags: security
RealVNC 4.1.2 was released to plug holes in authentication handling.
Quoting the CVE:
'allows remote attackers to bypass authentication via a request in which
the client specifies an insecure security type such as "Type 1 - None",
which is accepted even if it is not offered by the server...'
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2006-2369
http://www.realvnc.com/products/free/4.1/release-notes.html
--
Kees Cook @outflux.net
--- End Message ---
--- Begin Message ---
Version: 4.1.1+X4.3.0-10
Hi
Thanks for letting me know, but this was actually fixed in the
Debian package before the fixed realvnc was released, and before a CVE
number was assigned to the issue (if I remember correctly). The
fix in Debian is slightly different, but correct the same issue.
As that fix is the only fix that the upstream version 4.1.2 version
change from 4.1.1, I have decided to not go up to that version.
vnc4 (4.1.1+X4.3.0-10) unstable; urgency=high
* Correction of critical security issue. Thanks to Martin Kogler
<[EMAIL PROTECTED]> that informed me about the issue,
and provided the patch.
This flaw was originally found by Steve Wiseman of intelliadmin.com.
* Applied patch from Javier Kohen <[EMAIL PROTECTED]> that
inform the user that only 8 first characters of the password will
actually be used when typing more than 8 characters, closes:
#355619.
-- Ola Lundqvist <[EMAIL PROTECTED]> Mon, 15 May 2006 20:35:17 +0200
This is the correction that the Debian version contains:
--- rfb/SConnection.old 2006-05-13 21:58:56.000000000 +0200
+++ rfb/SConnection.cxx 2006-05-13 22:05:43.000000000 +0200
@@ -181,6 +181,17 @@
vlog.info("Client requests security type %s(%d)",
secTypeName(secType),secType);
+ std::list<rdr::U8> secTypes;
+ std::list<rdr::U8>::iterator i;
+ securityFactory->getSecTypes(&secTypes, reverseConnection);
+ for (i=secTypes.begin(); i!=secTypes.end(); i++)
+ if (*i == secType)
+ break;
+
+ if (*i != secType)
+ throwConnFailedException("unexpected security type");
+
+
try {
state_ = RFBSTATE_SECURITY;
security = securityFactory->getSSecurity(secType, reverseConnection);
And the difference between the upstream and the Debian fix is:
The source for 4.1.2 is now available:
http://www.realvnc.com/pipermail/vnc-list/2006-May/054936.html
The main difference to my patch is, that they use
if (i == secTypes.end())
to check for an invalid security type. I use
if (*i != secType)
(I in this case is Martin Kögler, that helped me with a quick
correction for this issue).
Some more information about this issue can be found in:
http://www.intelliadmin.com/blog/2006/05/vnc-flaw-proof-of-concept.html
http://it.slashdot.org/article.pl?sid=06/05/11/2344217&from=rss
http://www.freerepublic.com/focus/f-news/1630902/posts
http://www.securityfocus.com/archive/1/433994/30/0/threaded
Best regards,
// Ola
On Fri, Oct 27, 2006 at 02:20:49PM -0700, Kees Cook wrote:
> Package: vnc4
> Version: 4.1.1+X4.3.0-19
> Severity: grave
> Tags: security
>
> RealVNC 4.1.2 was released to plug holes in authentication handling.
> Quoting the CVE:
>
> 'allows remote attackers to bypass authentication via a request in which
> the client specifies an insecure security type such as "Type 1 - None",
> which is accepted even if it is not offered by the server...'
>
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2006-2369
> http://www.realvnc.com/products/free/4.1/release-notes.html
>
> --
> Kees Cook @outflux.net
>
>
--
--------------------- Ola Lundqvist ---------------------------
/ [EMAIL PROTECTED] Annebergsslingan 37 \
| [EMAIL PROTECTED] 654 65 KARLSTAD |
| +46 (0)54-10 14 30 +46 (0)70-332 1551 |
| http://www.opal.dhs.org UIN/icq: 4912500 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------
--- End Message ---
