RealVNC is a remote control access product that is bundled with Cisco CallManager and IP/VC 3540/DCS modules to provide remote console access.
A vulnerability in RealVNC may allow a malicious user to bypass RealVNC authentication to gain console access.
In the event that a malicious user exploits this vulnerability to gain console access, all normal CallManager or Windows 2000 security will still apply and is intact. While this vulnerability may provide initial remote access, an attacker will still require Windows and CallManager or IP/VC 3540/DCS credentials to further any attack.
RealVNC has resolved this vulnerability in software version 4.1.2 and later.
Cisco has made available an update for both Call Manager and IP/VC 3540/DCS modules which will update RealVNC to version 4.1.2.
This update for CallManager is available in update win-OS-Upgrade-K9.2000-4-2sr8.exe which may be downloaded at http://www.cisco.com/pcgi-bin/tablebuild.pl/cmva-3des (registered customers only) .
This update for IP/VC 3540/DCS is available at http://www.cisco.com/pcgi-bin/tablebuild.pl/ipvc (registered customers only) .
The workaround to this issue is to disable the RealVNC service. Please consult RealVNC documentation for further details at http://www.realvnc.com/documentation.html .