Lucene search

K
certCERTVU:735416
HistoryAug 08, 2016 - 12:00 a.m.

UltraVNC repeater does not restrict IP addresses or ports by default

2016-08-0800:00:00
www.kb.cert.org
24

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.002

Percentile

61.9%

Overview

UltraVNC repeater versions prior to ultravnc_repeater_1300 do not restrict usage by IP address by default and cannot restrict by ports, which may be leveraged to induce connections to arbitrary hosts using any port.

Description

CWE-16**: Configuration** -**** CVE-2016-5673UltraVNC repeater acts as a proxy to route remote desktop VNC connections. IP addresses are not restricted in default configurations, and ports cannot be selectively restricted. Consequently, in a default installation, a repeater can be caused to initiate connections to arbitrary hosts using any port. To initiate a connection to a common web service, for instance, an attacker may request a connection to <IP>::<80><padding>, where padding consists of null bytes and the request length is 250 bytes.

Impact

A remote, unauthenticated attacker may induce a default-configured repeater to initiate connections to arbitrary hosts and services.

Solution

Update repeater configuration

New installations of UltraVNC repeater now default to restricting access to all IP addresses and support more granular port restrictions. Existing installations should consider updating to ultravnc_repeater_1300, review the vendor’s advisory, and make modifications as appropriate:

"WARNING: In MODE I the repeater works like a proxy. If you don’t limit the destination and or ports your repeater can be used to connect to all ip adresses and all ports that can be reached from the repeater.
_
You need to restrict the ip addreses and ports to prevent unwanted access."_

Vendor Information

735416

Filter by status: All Affected Not Affected Unknown

Filter by content: __Additional information available

__Sort by: Status Alphabetical

Expand all

Javascript is disabled. Clickhere to view vendors.

UltraVNC __ Affected

Notified: May 13, 2016 Updated: August 01, 2016

Statement Date: May 16, 2016

Status

Affected

Vendor Statement

WARNING: In MODE I the repeater works like a proxy. If you don’t limit the destination and or ports your repeater can be used to connect to all ip adresses and all ports that can be reached from the repeater.

You need to restrict the ip addreses and ports to prevent unwanted access.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

CVSS Metrics

Group Score Vector
Base 5 AV:N/AC:L/Au:N/C:N/I:P/A:N
Temporal 3.9 E:POC/RL:OF/RC:C
Environmental 1.0 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Yonathan Klijnsma and Dan Tentler for reporting this vulnerability.

This document was written by Joel Land.

Other Information

CVE IDs: CVE-2016-5673
Date Public: 2016-08-06 Date First Published:

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.002

Percentile

61.9%

Related for VU:735416