Rapid7 Vulnerability & Exploit Database

RHSA-2003:041: Updated VNC packages fix replay and cookie vulnerabilities

Back to Search

RHSA-2003:041: Updated VNC packages fix replay and cookie vulnerabilities



Updated VNC packages are available, fixing a challenge replay and a weak cookie vulnerability. [Updated 10 July 2003] Added packages for Red Hat Linux on IBM iSeries and pSeries systems.

VNC is a tool for providing a remote graphical user interface. Two vulnerabilities have been found in versions of VNC shipped by Red Hat. The VNC server acts as an X server, but the script for starting it generates an MIT X cookie (which is used for X authentication) without using a sufficiently strong random number generator. This could allow an attacker to more easily guess the authentication cookie. The VNC DES authentication scheme is implemented using a challenge-response architecture, producing a random and different challenge for each authentication attempt. A bug in the function for generating the random challenge caused the random seed to be reset to the current time on every authentication attempt. Therefore, two authentication attempts within the same second could receive the same challenge. An eavesdropper could exploit this vulnerability by replaying the response, thereby gaining authentication. All users of VNC are advised to upgrade to these erratum packages, which contain patches to correct these issues. Note that when using VNC on an untrusted network, always make sure to tunnel it through a secure authenticated protocol such as SSH.


  • redhat-upgrade-vnc
  • redhat-upgrade-vnc-doc
  • redhat-upgrade-vnc-server

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center