Vulnerability Note VU#735416
UltraVNC repeater does not restrict IP addresses or ports by default
UltraVNC repeater versions prior to ultravnc_repeater_1300 do not restrict usage by IP address by default and cannot restrict by ports, which may be leveraged to induce connections to arbitrary hosts using any port.
CWE-16: Configuration - CVE-2016-5673
UltraVNC repeater acts as a proxy to route remote desktop VNC connections. IP addresses are not restricted in default configurations, and ports cannot be selectively restricted. Consequently, in a default installation, a repeater can be caused to initiate connections to arbitrary hosts using any port. To initiate a connection to a common web service, for instance, an attacker may request a connection to <IP>::<80><padding>, where padding consists of null bytes and the request length is 250 bytes.
A remote, unauthenticated attacker may induce a default-configured repeater to initiate connections to arbitrary hosts and services.
Update repeater configuration
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|UltraVNC||Affected||13 May 2016||01 Aug 2016|
CVSS Metrics (Learn More)
Thanks to Yonathan Klijnsma and Dan Tentler for reporting this vulnerability.
This document was written by Joel Land.
- CVE IDs: CVE-2016-5673
- Date Public: 06 Aug 2016
- Date First Published: 08 Aug 2016
- Date Last Updated: 08 Aug 2016
- Document Revision: 21
If you have feedback, comments, or additional information about this vulnerability, please send us email.