Update: UltraVNC 1.4.3.6 and UltraVNC SC 1.4.3.6: viewtopic.php?t=37885
Important: Please update to latest version before to create a reply, a topic or an issue: viewtopic.php?t=37864

Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://twitter.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc

MS LOGON I/II password vuln / Using Encryption

Should you have problems with the MS logon plugin, here's the place to look for help or report issues
Post Reply
tmorrisnc
Posts: 1
Joined: 2006-05-15 18:28

MS LOGON I/II password vuln / Using Encryption

Post by tmorrisnc »

The SecurityFocus vulnerabilities
list has two entries, at

http://www.securityfocus.com/archive/1/432861

and

http://www.securityfocus.com/bid/17824/info

that point to a weakness in how MS Logon (I and II)
authentication challenge response is crafted.

While the first article mentions that one workaround
is to use the DSM/MSRC4 plugin, are there other
plans to address this? I've been looking at
UVNC (especially SC and SCIII) as options for
helpdesk support, but need the solution to be
secure end-to-end.

Thanks in advance!
Marscha
Former moderator
Former moderator
Posts: 464
Joined: 2004-05-14 06:48

Post by Marscha »

An alternative solution is in the works.
However, this will not be compatible with the current MS-Logon implementation.
I.e. you will need both vncviewer and winvnc replaced with the new version.
The viewer will still be able to connect to and old server, but with the weak protocol.

If you need a secure solution, you should definitely consider using either the encryption plugin or tunneling via SSH.
Post Reply