UltraVNC w/ DSM Plugin Detection

medium Nessus Plugin ID 19289

Synopsis

A remote control service is running on this port.

Description

UltraVNC seems to be running on the remote port.

Upon connection, the remote service on this port always sends the same 12 pseudo-random bytes.

It is probably UltraVNC with the old DSM encryption plugin. This plugin tunnels the RFB protocol into a RC4-encrypted stream.

This old protocol does not use a random IV so the RC4 pseudo random flow is reused from one session to another. An authenticated user could leverage this issue to decrypt other users' sessions.

Solution

If this service is not needed, disable it or filter incoming traffic to this port. Otherwise, upgrade UltraVNC and use one of the new and safer plugins which implement a random IV.

Plugin Details

Severity: Medium

ID: 19289

File Name: ultravnc_dsm_detect.nasl

Version: 1.21

Type: remote

Published: 7/24/2005

Updated: 4/11/2022

Configuration: Enable thorough checks

Asset Inventory: true

Supported Sensors: Nessus

Vulnerability Information

CPE: cpe:/a:uvnc:ultravnc