Fix CVE-2022-36436 - Authentication bypass in RFB security handshake

osuosl · Jul 27, 2022 · 823455c · 823455c
1 parent 3dffdff
commit 823455c
Showing 1 changed file with 2 additions and 5 deletions.
diff --git a/vncap/vnc/protocol.py b/vncap/vnc/protocol.py
@@ -73,8 +73,8 @@ def check_version(self, version):
 
         if version == self.VERSION:
             log.msg("Client version %s is valid" % version.strip())
-            # Hardcoded: 2 security types: None and VNC Auth.
-            self.transport.write("\x02\x01\x02")
+            # Hardcoded: 1 security type: VNC Auth.
+            self.transport.write("\x01\x02")
             return self.select_security_type, 1
         else:
             log.err("Can't handle VNC version %r" % version)
@@ -93,9 +93,6 @@ def select_security_type(self, security_type):
             self.transport.write(self.challenge)
 
             return self.vnc_authentication_result, 16
-        elif security_type == 1:
-            # No authentication. Just move to the SecurityResult.
-            self.authenticated()
         else:
             log.err("Couldn't agree on an authentication scheme!")
             self.transport.loseConnection()