This is a problem for version 4.1.1 only, so if you have earlier versions you
must not worry about it.
http://isc.sans.org/diary.php?storyid=1331

Jose Ramirez

Quoting Ray Van Dolson <rayvd (at) digitalpath (dot) net [email concealed]>:

> On Mon, Jun 05, 2006 at 05:33:29PM -0600, Kurt Seifried wrote:
>> >How is it that even though this vulnerability has been known now for
>> >some time, Red Hat still has not issued a new package or security update
>> >that addresses this? On RHN, the most recent package I can find is
>> >4.0.0 beta and the most recent security patch for VNC dates back to
>> >December 2004. Since Red Hat started distributing the package, why has
>> >it not been kept up with?
>>
>> Probably because customers are not bugging them to much for it? I've never
>> used vnc-server on Linux or seen it used to be honest, and although it is a
>> nasty problem it's easy to deal with (just firewall it to trusted systems
>> or wrap a VPN around it). They are obviously aware of this issue (it was
>> fixed in Fedora Core 5, reported by Mark J. Cox).
>>
>> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=191692
>>
>
> That bugzilla report makes it sound like RHEL versions of VNC are
> unaffected?
>
> "I've verified that by altering a client in this way you are able to bypass
> password authentication in vnc 4.1.1 but not in earlier versions as shipped
> in Red Hat Enterprise Linux (their server connection souce code is
> different)."
>
> Ray
>

[ reply ]