Last Updated: 2009-09-03 18:29:43 UTC
by Marcus Sachs (Version: 1)
We had an interesting submission from one of our readers today. He thinks there might be a problem with RealVNC. Here are the comments he sent us:
I'm a professional computer tech for a living, although I don't specialize in security. A few minutes ago I was shutting my PC down to go to a job when I noticed the VNC icon in my system tray was black, indicating a connection. I was immediately suspicious and powered the machine back on but unplugged the network cable until I could firewall the VNC service. I have a home broadband connection and the router is opened up to allow incoming remote access on port 5900. I have often noted the many failed attempts to connect to my VNC service in the windows logs; however, this was different. According to my event log, the service had been connected about for 15 minutes before I noticed it. Here are the technical details:
RealVNC version: 4.1.3
IP address: 126.96.36.199 (somewhere in China, apparently)
password: 12 characters, alphanumeric
In the logs there were no prior or repeated connection attempts from this or similar IP addresses, as if a brute force attack was happening. Even at that a 12-character password should be relatively strong. To me this looks like an authentication bypass vulnerability reminiscent of the 2006 vulnerability; I hope I'm wrong. You may want to encourage everyone to be on the lookout for suspicious VNC connections. For now my VNC is remaining firewalled.
For those who use RealVNC would you check your event logs to see if there is anything similar that you did not authorize? Use the "comment" section below to post your brief thoughts or if you have a lot of information to submit use our contact form.
Marcus H. Sachs
Director, SANS Internet Storm Center