Are there any known security vulnerabilities?

Follow

RealVNC Ltd has a clear track record in providing secure software. Current versions are not affected by any known vulnerabilities.

Previous versions released between 2004–2013 have been affected by the following issues:

CVE-2013-6886 (No remote threat, local access required)

VNC 5.0.6 allows local users to execute arbitrary code as root, through passing a maliciously crafted argument vector to the vncserver (Mac) and vncserver-x11/Xvnc (Linux, Solaris, AIX, HP-UX) setuid-root helpers. The vulnerability affects VNC 5.0.6 only, and is fixed in VNC 5.0.7. VNC 5.1.0 and later are not affected. VNC on Windows is not affected.

CVE-2008-4770 (Moderate — only affects VNC Viewer)

The CMsgReader::readRect function in VNC Viewer provided with VNC Free Edition 4.0 through 4.1.2, VNC Enterprise Edition 4.0 through 4.4.2, and VNC Personal Edition 4.0 through 4.4.2 allows a remote VNC Server to execute arbitrary code via crafted RFB protocol data, related to encoding type.

CVE-2008-3493 (Not severe — only affects VNC Viewer)

VNC Viewer 4.1.2.0 allows a remote VNC Server to cause a denial of service (application crash) via a crafted framebuffer update packet.

CVE-2006-2369 (Severe)

VNC Enterprise Edition 4.1.1, and other products that embed RealVNC such as AdderLink IP and Cisco CallManager, allows remote attackers to bypass authentication via a request in which a client specifies an insecure security type (for example, "Type 1 - None") that is accepted even if it is not offered by VNC Server, as originally demonstrated using a long password.

CVE-2004-1750 (Not severe — only affects VNC Server)

VNC Enterprise Edition 4.0 and earlier allows remote attackers to cause a denial of service (crash) via a large number of connections to port 5900. 

If you come across a security issue with VNC that is not listed above, please contact us via our Help Center

Was this article helpful?
17 out of 20 found this helpful

Comments

0 comments

Article is closed for comments.