Update: UltraVNC 1.4.3.6 and UltraVNC SC 1.4.3.6: https://forum.uvnc.com/viewtopic.php?t=37885
Important: Please update to latest version before to create a reply, a topic or an issue: https://forum.uvnc.com/viewtopic.php?t=37864

Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://x.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc

Security Fix Question

Post Reply
jgray
Posts: 1
Joined: 2012-10-18 15:29

Security Fix Question

Post by jgray »

I see in the change information for version 1.1.0.0 it says this:

-security fix ( encryption plugin + vnc passwd : password can be broken)

I was curious to the nature of this as it relates to running the current non-beta version (1.0.9.6.2). Is this an issue specifically related to using an encryption plugin... meaning that if a plugin is used then the password can be broken? In that case would it be better to run it without the encryption plugin?
Top
stack
Posts: 3
Joined: 2012-10-10 04:16

Re: Security Fix Question

Post by stack »

I was also having hard time finding specifics about this fix. The closest I came to the explanation was from the history screen of 1.1.0.0 installer:
-new vncpasswd + encryption.
Instead of using the password as part of the encryption, we now check the password insite the encryption by the server. This allow the server to balcklist servers after x fault password.

WARNING: If using encryption plugin + vncpassword you better upgrade. No protection against Brute force password hacking."
I guess that still doesn't answer your question. So I too would appreciate if someone could shed the light on this.
And also clarify if encryption plugin + new ms login combo in 1.0.9.6.2 is vulnerable to the same attack.

Thank you
Top
Post Reply

Return to “Olders”