[Yahoo-eng-team] [Bug 1840869] [NEW] VNC Server Unauthenticated Access

Tue, 20 Aug 2019 20:16:06 -0700 

Public bug reported:

When nova boot a server with VNC enabled, it does not require
authentication if an attacker trys to connect to the remote host
directly from management network. The VNC server sometimes sends the
connected user to the XDM login screen.

A warning from Nessus report:

VNC Server Unauthenticated Access

Synopsis

The remote VNC server does not require authentication.

Description
The VNC server installed on the remote host allows an attacker to connect to 
the remote host as no authentication is required to access this service.     

The VNC server sometimes sends the connected user to the XDM login
screen. Unfortunately, Nessus cannot identify this situation. In such a
case, it is not possible to go further without valid credentials and
this alert may be ignored.

Solution
Disable the No Authentication security type.

** Affects: nova
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1840869

Title:
  VNC Server Unauthenticated Access

Status in OpenStack Compute (nova):
  New

Bug description:
  When nova boot a server with VNC enabled, it does not require
  authentication if an attacker trys to connect to the remote host
  directly from management network. The VNC server sometimes sends the
  connected user to the XDM login screen.

  A warning from Nessus report:

  VNC Server Unauthenticated Access

  Synopsis

  The remote VNC server does not require authentication.

  Description
  The VNC server installed on the remote host allows an attacker to connect to 
the remote host as no authentication is required to access this service.     

  The VNC server sometimes sends the connected user to the XDM login
  screen. Unfortunately, Nessus cannot identify this situation. In such
  a case, it is not possible to go further without valid credentials and
  this alert may be ignored.

  Solution
  Disable the No Authentication security type.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1840869/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to