Executive Summary

Summary
Title UltraVNC repeater does not restrict IP addresses or ports by default
Informations
Name VU#735416 First vendor Publication 2016-08-08
Vendor VU-CERT Last vendor Modification 2016-08-08
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Cvss Base Score 5 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#735416

UltraVNC repeater does not restrict IP addresses or ports by default

Original Release date: 08 Aug 2016 | Last revised: 08 Aug 2016

Overview

UltraVNC repeater versions prior to ultravnc_repeater_1300 do not restrict usage by IP address by default and cannot restrict by ports, which may be leveraged to induce connections to arbitrary hosts using any port.

Description

CWE-16: Configuration -CVE-2016-5673

UltraVNC repeater acts as a proxy to route remote desktop VNC connections. IP addresses are not restricted in default configurations, and ports cannot be selectively restricted. Consequently, in a default installation, a repeater can be caused to initiate connections to arbitrary hosts using any port. To initiate a connection to a common web service, for instance, an attacker may request a connection to <IP>::<80><padding>, where padding consists of null bytes and the request length is 250 bytes.

Impact

A remote, unauthenticated attacker may induce a default-configured repeater to initiate connections to arbitrary hosts and services.

Solution

Update repeater configuration

New installations of UltraVNC repeater now default to restricting access to all IP addresses and support more granular port restrictions. Existing installations should consider updating to ultravnc_repeater_1300, review the vendor's advisory, and make modifications as appropriate:

    "WARNING: In MODE I the repeater works like a proxy. If you don't limit the destination and or ports your repeater can be used to connect to all ip adresses and all ports that can be reached from the repeater.

    You need to restrict the ip addreses and ports to prevent unwanted access."

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
UltraVNCAffected13 May 201601 Aug 2016
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base5.0AV:N/AC:L/Au:N/C:N/I:P/A:N
Temporal3.9E:POC/RL:OF/RC:C
Environmental1.0CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

  • https://cwe.mitre.org/data/definitions/16.html
  • http://www.uvnc.com/products/uvnc-repeater.html
  • http://www.uvnc.com/downloads/repeater/83-repeater-downloads.html

Credit

Thanks to Yonathan Klijnsma and Dan Tentler for reporting this vulnerability.

This document was written by Joel Land.

Other Information

  • CVE IDs:CVE-2016-5673
  • Date Public:06 Aug 2016
  • Date First Published:08 Aug 2016
  • Date Last Updated:08 Aug 2016
  • Document Revision:21

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/735416

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-284 Access Control (Authorization) Issues

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2016-08-27 00:26:04
  • Multiple Updates
2016-08-26 05:20:04
  • Multiple Updates
2016-08-08 17:23:40
  • First insertion