VNC® Viewer Vulnerability CVE-2008-4770

Summary

A vulnerability has been reported in a core VNC Viewer component's validation of server-supplied RFB protocol data. This issue only affects the VNC Viewer component, VNC Servers are not affected.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-4770 to this issue.

Security status

There are no known attacks.

Suggested action

VNC Enterprise & Personal Edition Viewer users should upgrade to version E4.4.3 / P4.4.3.

VNC Free Edition Viewer users should upgrade to version 4.1.3, and providers of software based on the VNC Free Edition open-source codebase should patch it to version 4.1.3.

Please use your regular RealVNC™ support channel if you have any concerns regarding this issue.

Potential impact

By taking advantage of this vulnerability, a malicious VNC Server may cause a connected VNC Viewer to crash. In theory, it is also possible for for a malicious VNC Server to cause code to be remotely executed on a connected VNC Viewer, though arranging this is considerably more complex in practice. Both issues are significantly mitigated in most installations.

The VNC Viewer for Java is unaffected by this issue and is at No risk.

VNC Enterprise & Personal Edition Viewers, and equivalent products, are at Minimal Risk if operating with encryption "Always On", the installation default.

VNC Free Edition Viewers, and open-source software based on the VNC Free Edition Viewer codebase, are at Medium Risk.

VNC Free Edition Viewers, and open-source software based on the VNC Free Edition Viewer codebase operating in "Listening Mode" are at High Risk.

Affected products

Credit

RealVNC would like to thank to Benjamin Bennett of the Pittsburgh Supercomputing Center for reporting this issue.