CVE-2022-36436

Name of the Vulnerable Software and Affected Versions OSU Open Source Lab VNCAuthProxy versions 1.1.1 and earlier

Description The issue is an authentication-bypass vulnerability in the VNCServerAuthenticator, located in vncap/vnc/protocol.py, which could allow a malicious actor to gain unauthorized access to a VNC session or to disconnect a legitimate user from a VNC session. A remote attacker with network access to the proxy server could leverage this vulnerability to connect to VNC servers protected by the proxy server without providing any authentication credentials. Exploitation of this issue requires that the proxy server is currently accepting connections for the target VNC server.

Recommendations For OSU Open Source Lab VNCAuthProxy versions 1.1.1 and earlier, consider disabling the VNCServerAuthenticator function until a patch is available to prevent unauthorized access to VNC sessions. Restrict access to the proxy server to minimize the risk of exploitation. Avoid using the proxy server to connect to VNC servers until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.