===================================================================== CERT-Renater Note d'Information No. 2006/VULN354 _____________________________________________________________________ DATE : 23/06/2006 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Windows running Cisco CallManager. ====================================================================== Cisco Security Response: RealVNC Remote Authentication Bypass Vulnerability Document ID: 70509 http://www.cisco.com/warp/public/707/cisco-sr-20060622-cmm.shtml Revision 1.0 For Public Release 2006 June 22 1530 UTC (GMT) - ----------------------------------------------------------------------- Contents ======== Cisco Response Additional Information Revision History Cisco Security Procedures - ----------------------------------------------------------------------- Cisco Response ============== This is Cisco PSIRT's response to the CERT advisory http://www.kb.cert.org/vuls/id/117929 and acknowledged by Real VNC at http://www.realvnc.com/products/free/4.1/release-notes.html This vulnerability was originally discovered by James Evans. The original CERT advisory is available at http://www.kb.cert.org/vuls/id/117929 This issue is being tracked by Cisco bug ID: * CSCse32811 RealVNC allows remote access to Windows 2000 server console without password. Additional Information ====================== RealVNC is a remote control access product that is bundled with Cisco CallManager to provide remote console access. A vulnerability in RealVNC may allow a malicious user to bypass RealVNC authentication to gain console access to a Cisco CallManager system. In the event that a malicious user exploits this vulnerability to gain access to a Cisco CallManager server, all normal CallManager and Windows 2000 security will still apply and is intact. While this vulnerability may provide remote access to a CallManager system, an attacker will still require Windows and CallManager credentials to further any attack. RealVNC has resolved this vulnerability in software version 4.1.2 and later. Cisco has made available an update which will update RealVNC to version 4.1.2 and later and is available in CallManager update win-OS-Upgrade-K9.2000-4-2sr8.exe which may be downloaded at http://www.cisco.com/pcgi-bin/tablebuild.pl/cmva-3des Workaround ========== The workaround to this issue is to disable the RealVNC service. Please consult RealVNC documentation for further details at http://www.realvnc.com/documentation.html THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2006-June-22 | public | | | | release. | +----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. - ----------------------------------------------------------------------- All contents are Copyright 1992-2006 Cisco Systems, Inc. All rights reserved. - ----------------------------------------------------------------------- Updated: Jun 22, 2006 Document ID: 70509 - ----------------------------------------------------------------------- ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================