auth.c in LibVNCServer 0.7.1 allows remote attackers to bypass authentication via a request in which the client specifies an insecure security type such as "Type 1 - None", which is accepted even if it is not offered by the server, a different issue than CVE-2006-2369.

Modified clients could bypass authentication of password protected VNC servers (CVE-2006-2450).

The remote host is affected by the vulnerability described in GLSA-200703-19 (LTSP: Authentication bypass in included LibVNCServer code)

    The LTSP server includes vulnerable LibVNCServer code, which fails to     properly validate protocol types effectively letting users decide what     protocol to use, such as 'Type 1 - None' (GLSA-200608-05). The LTSP VNC     server will accept this security type, even if it is not offered by the     server.
  Impact :

    An attacker could exploit this vulnerability to gain unauthorized     access with the privileges of the user running the VNC server.
  Workaround :

    There is no known workaround at this time.

Ludwig Nussel reports that x11vnc is vulnerable to an authentication bypass vulnerability. The vulnerability is caused by an error in auth.c. This could allow a remote attacker to gain unauthorized and unauthenticated access to the system.

The remote host is affected by the vulnerability described in GLSA-200608-12 (x11vnc: Authentication bypass in included LibVNCServer code)

    x11vnc includes vulnerable LibVNCServer code, which fails to properly     validate protocol types effectively letting users decide what protocol     to use, such as 'Type 1 - None' (GLSA-200608-05). x11vnc will accept     this security type, even if it is not offered by the server.
  Impact :

    An attacker could exploit this vulnerability to gain unauthorized     access with the privileges of the user running the VNC server.
  Workaround :

    There is no known workaround at this time.

The remote host is affected by the vulnerability described in GLSA-200608-05 (LibVNCServer: Authentication bypass)

    LibVNCServer fails to properly validate protocol types effectively     letting users decide what protocol to use, such as 'Type 1 - None'.
    LibVNCServer will accept this security type, even if it is not offered     by the server.
  Impact :

    An attacker could use this vulnerability to gain unauthorized access     with the privileges of the user running the VNC server.
  Workaround :

    There is no known workaround at this time.

The version of VNC server running on the remote host is affected by the following vulnerabilities :

  - A flaw exists in RealVNC due to an error when handling     password authentication. A remote attacker can exploit     this to bypass authentication by using a specially     crafted request in which the client specifies an     insecure security type (e.g., 'Type 1 - None'), which is     accepted even if not offered by the server.
    (CVE-2006-2369)

  - A flaw exists in LibVNCServer within file auth.c due to     an error when handling password authentication. A remote     attacker can exploit this to bypass authentication by     using a specially crafted request in which the client     specifies an insecure security type (e.g., 'Type 1 -     None'), which is accepted even if not offered by the     server. (CVE-2006-2450)

ID	Name	Product	Family	Severity
27481	openSUSE 10 Security Update : xen (xen-1841)	Nessus	SuSE Local Security Checks	high
27111	openSUSE 10 Security Update : LibVNCServer (LibVNCServer-1667)	Nessus	SuSE Local Security Checks	high
24868	GLSA-200703-19 : LTSP: Authentication bypass in included LibVNCServer code	Nessus	Gentoo Local Security Checks	high
22212	FreeBSD : x11vnc -- authentication bypass vulnerability (9dda3ff1-2b02-11db-a6e2-000e0c2e438a)	Nessus	FreeBSD Local Security Checks	high
22171	GLSA-200608-12 : x11vnc: Authentication bypass in included LibVNCServer code	Nessus	Gentoo Local Security Checks	high
22147	GLSA-200608-05 : LibVNCServer: Authentication bypass	Nessus	Gentoo Local Security Checks	high
21564	VNC Security Type Enforcement Failure Remote Authentication Bypass	Nessus	Misc.	critical

Detections

Analytics

CVE-2006-2450

critical

Tenable Plugins

high

high

high

high

high

high

critical