Update Protection against VNC Authentication Bypass Vulnerability
| Check Point Reference: | CPAI-2006-071 | |
| Date Published: | ||
| Severity: | ||
| Last Updated: | ||
| Source: | IntelliAdmin | |
| Industry Reference(s): | CVE-2006-2369 US-CERT VU#117929 |
|
| Protection Provided by: |
VPN-1
|
|
| Who is Vulnerable? RealVNC Free Edition version 4.1.1 and prior RealVNC Personal Edition version 4.2.2 and prior RealVNC Enterprise Edition version 4.2.2 and prior | ||
| Vulnerability Description The VNC protocol is a simple protocol for remote access to graphical user interfaces. RealVNC is an implementation of the VNC protocol. RealVNC fails to properly validate the client authentication method, potentially allowing a remote attacker to bypass authentication and gain unauthorized access to the system. |
||
|
Vulnerability Status A proof of concept has been published: http://www.intelliadmin.com/blog/2006/05/vnc-flaw-proof-of-concept.html |
|
|
Update/Patch Available Upgrade to RealVNC Free Edition 4.1.2, Personal Edition 4.2.3, or Enterprise Edition 4.2.3 : http://www.realvnc.com/download.html |
|
|
Vulnerability Details The vulnerability is caused due to improper handling of VNC password authentication requests. This can be exploited to bypass authentication and allow access to a remote system without requiring knowledge of the VNC password. |
Protection Overview
SmartDefense can be configured to block unauthenticated negotiations between the VNC client and the VNC server on the default VNC port (TCP/5900) or on any other port.
To configure the defense, select your product from the list below and follow the related protection steps.
Additional Information
The Update released on July 5, 2006 includes the follwoing protections:
Malformed SSH Init Message Protection (CPAI-2006-069)
Multiple IMAP Servers Directory Traversal Protection (CPAI-2006-070)
VNC Authentication Bypass Protection (CPAI-2006-071)
COM Object Instantiation Protection (MS06-013) - CPAI-2006-072
COM Object Instantiation Memory Corruption Vulnerability (MS06-021) - CPAI-2006-073
Microsoft JScript Remote Code Execution Protection (MS06-023) - CPAI-2006-074
Symantec Sygate SQL Injection Protection (CPAI-2006-075)
Horde Help Viewer Protection (CPAI-2006-076)
Virtual War (VWar) File Inclusion Protection (CPAI-2006-077)
AWStats Remote Command Execution Protection - CPAI-2006-078
Windows Media Player PNG Protection (MS06-024) - CPAI-2006-079
ART Image Rendering Protection (MS06-022) - CPAI-2006-080
MySQL Server str_to_date DoS Protection (CPAI-2006-081)
Enhanced Protection against AWStats "migrate" Shell Command Injection (CPAI-2006-053)
Additional Logs added to the FTP patterns engine (CPAI-2006-040)
VPN-1 NGX R61
How Can I Protect My Network?
1. Update SmartDefense: Click the SmartDefense Services tab, click Download Updates and then click the Online Update button.
2. In the SmartDefense tree, click Remote Control Applications > Block VNC Authentication Bypass. 
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name : VNC Enforcement Violation
Attack Information: VNC authentication bypass vulnerability detected on connection
VPN-1 NGX R60, VPN-1 NG with Application Intelligence R55W
How Can I Protect My Network?
1. Update SmartDefense by clicking Online Update in the SmartDashboard General window.
2. 2. In the SmartDefense tree, click Remote Control Applications > Block VNC Authentication Bypass.
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name : VNC Enforcement Violation
Attack Information: VNC authentication bypass vulnerability detected on connection
InterSpect NGX
How Can I Protect My Network?
1. Update SmartDefense: In the left pane from the drop-down list, select Profiles > SmartDefense Service and click the Online Update button.
2. In the left pane, select Profiles > Default Protection and select the SmartDefense page of the profile.
3. In the SmartDefense tree, click Remote Control Applications > Block VNC Authentication Bypass.
4. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name : VNC Enforcement Violation
Attack Information: VNC authentication bypass vulnerability detected on connection
InterSpect 2.0
How Can I Protect My Network?
1. Update SmartDefense by clicking Online Update in the SmartDashboard General window.
2. In the SmartDefense tree, click Remote Control Applications > Block VNC Authentication Bypass.
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name : VNC Enforcement Violation
Attack Information: VNC authentication bypass vulnerability detected on connection