http://securitytracker.com/alerts/2004/Aug/1011072.html: RealVNC VNC Server Can Be Crashed By Remote Users SecurityTracker Alert ID: 1011072 SecurityTracker URL: http://securitytracker.com/id?1011072 CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site) Date: Aug 26 2004 Impact: Denial of service via network Exploit Included: Yes Version(s): 4.0 and prior versions Description: A vulnerability was reported in RealVNC's VNC server. A remote user can cause the target service to crash. Allan Zhang reported that a remote user can establish more than 60 connections to the target VNC service to cause the target service to crash. A demonstration exploit script is provided: for i in `seq 1 61` do nc <server_ip> 5900 done Impact: A remote user can cause the VNC service to crash. Solution: No solution was available at the time of this entry. Vendor URL: www.realvnc.com/ (Links to External Site) Cause: Resource error Underlying OS: Linux (Any), UNIX (Any), Windows (Any) Underlying OS Comments: Tested on Windows 2000 Reported By: Allan Zhang <zhangliangsd@hotmail.com> ____ http://osvdb.org/displayvuln.php?osvdb_id=9187 http://secunia.com/advisories/13143/
Most sources seem to list 4.0 as affected which is marked ~arch. Securitytracker lists 4.0 and prior. OSVDB has this as verified and lists 4.0 as possibly affected. There does not seem to be any patched version out there.
aliz please verify and advise.
Aliz is MIA. Ack from upstream : --------------------------------- Yes, there is a problem in the way that the current release of VNC Server 4 for Windows handles excessive connection attempts. Note that the free VNC release is not designed for use on untrusted networks - if you need to access a free VNC Server across the Internet then you should use a system such as SSH to "tunnel" the connections securely between sites. The upcoming VNC Server Enterprise Edition ( http://www.realvnc.com/products/enterprise/ ) includes protection from this and a class of similar but more advanced attacks. This protection will also be included in the next VNC Server 4 GPL release. Cheers, Wez @ RealVNC Ltd. ---------------------------------- So it should be fixed soon...
Author keyphrase is "Note that the free VNC release is not designed for use on untrusted networks". So this could be considered by design, and just needing a warning on the ebuild that it's vulnerable to DoS and shouldn't be exposed on untrusted networks. Opinions ?
Agreed.
Switching this to default configs. A warning should be added to the VNC ebuild that it's not designed to be used on untrusted networks.
Aliz, Please add a warning to the ebuild that VNC was not designed to be used on untrusted networks and should be properly tunnelled in this case. DoS and spontaneous ignition can occur if you don't.
Warning added to 4.0 and 4.0-r1
Thx !