Package: tightvncserver Version: 1:1.3.9-9 Severity: grave Tags: security Justification: user security hole
Dear Maintainer, I installed tightvncserver on my VPS machine via apt. This did set up tightvncserver as an alternative for vncserver. Using a normal user account and starting vncserver for the first time asks for a 8-letter password. My assumption is this password will be used to authenticate users when connecting to the vnc server. After starting the vnc server via vncserver script, it is served on port 5901. On the client machine I use vinagre to connect to the server on port 5901. When connecting, I am not asked for a password, but rather directly taken to the X session. I would have expected the server to ask for the password I specified earlier. As a workaround, to ensure the integrity of the system, I set up iptable rules to not allow direct WAN connections to this port, but only allow local connections and use an SSH tunnel for connecting to the vnc server. kind regards, Christoph -- System Information: Debian Release: buster/sid APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'testing'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 4.14.17-xxxx-std-ipv6-64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: systemd (via /run/systemd/system) Versions of packages tightvncserver depends on: ii libc6 2.27-8 ii libjpeg62-turbo 1:1.5.2-2+b1 ii libx11-6 2:1.6.7-1 ii libxext6 2:1.3.3-1+b2 ii perl 5.28.0-3 ii x11-common 1:7.7+19 ii x11-utils 7.7+4 ii xauth 1:1.0.10-1 ii xserver-common 2:1.20.3-1 ii zlib1g 1:1.2.11.dfsg-1 Versions of packages tightvncserver recommends: ii x11-xserver-utils 7.7+8 ii xfonts-base 1:1.0.4+nmu1 Versions of packages tightvncserver suggests: pn tightvnc-java <none> -- no debconf information