Rapid7 Vulnerability & Exploit Database

CESA-2003:068: vnc security update

Back to Search

CESA-2003:068: vnc security update

Severity
5
CVSS
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Published
03/03/2003
Created
07/25/2018
Added
03/12/2010
Modified
07/04/2017

Description

Updated VNC packages are available to fix a weak cookie vulnerability.

VNC is a tool for providing a remote graphical user interface. The VNC server acts as an X server, but the script for starting it generates an MIT X cookie (which is used for X authentication) without using a strong enough random number generator. This could allow an attacker to be able to more easily guess the authentication cookie. All users of VNC are advised to upgrade to these erratum packages, which contain a patch to correct this issue.

Solution(s)

  • centos-upgrade-vnc
  • centos-upgrade-vnc-doc
  • centos-upgrade-vnc-server

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;