Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Cisco Security Response

RealVNC Remote Authentication Bypass Vulnerability

Document ID: 608

http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20060622-cmm

Revision 1.1

For Public Release 2006 June 22 15:30  UTC (GMT)


Contents

Response
Additional Information
Status of this Notice: Final
Revision History
Cisco Security Procedures

Cisco Response

This is Cisco PSIRT's response to the CERT advisory http://www.kb.cert.org/vuls/id/117929 leavingcisco.com and acknowledged by Real VNC at http://www.realvnc.com/products/free/4.1/release-notes.html leavingcisco.com. This vulnerability was originally discovered by James Evans.

The original CERT advisory is available at http://www.kb.cert.org/vuls/id/117929 leavingcisco.com.

This issue is being tracked by these Cisco bug IDs:

  • CSCse32811 (registered customers only) —RealVNC allows remote access to Windows 2000 server console without password.
  • CSCsf02450 (registered customers only) —RealVNC allows remote access to IP/VC 3540/DCS server console.

Additional Information

RealVNC is a remote control access product that is bundled with Cisco CallManager and IP/VC 3540/DCS modules to provide remote console access.

A vulnerability in RealVNC may allow a malicious user to bypass RealVNC authentication to gain console access.

In the event that a malicious user exploits this vulnerability to gain console access, all normal CallManager or Windows 2000 security will still apply and is intact. While this vulnerability may provide initial remote access, an attacker will still require Windows and CallManager or IP/VC 3540/DCS credentials to further any attack.

RealVNC has resolved this vulnerability in software version 4.1.2 and later.

Cisco has made available an update for both Call Manager and IP/VC 3540/DCS modules which will update RealVNC to version 4.1.2.

This update for CallManager is available in update win-OS-Upgrade-K9.2000-4-2sr8.exe which may be downloaded at http://www.cisco.com/pcgi-bin/tablebuild.pl/cmva-3des (registered customers only) .

This update for IP/VC 3540/DCS is available at http://www.cisco.com/pcgi-bin/tablebuild.pl/ipvc (registered customers only) .

Workaround

The workaround to this issue is to disable the RealVNC service. Please consult RealVNC documentation for further details at http://www.realvnc.com/documentation.html leavingcisco.com.

Status of this Notice: Final

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.


Revision History

Revision 1.1

2006-October-11

Added information on IPVC 3540/DCS.

Revision 1.0

2006-June-22

Initial public release.

Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.


Download this document (PDF)
View Printable Version