Security bug in SLES 11 & 12 for VNC


I have found a security bug in SLES 11 & 12 any SP version.

Bug : If my vncserver password is more than eight characters then it is also possible to connect using eight characters and after them anything.

Lets say VNC my password is "P@ssword123" then i can also connect with typing "P@ssword" or "P@ssword654 or (any character)".

Anyone noticed it?

Please suggest to resolve this issue.



  • Hi, this is not a support forum for generic problems. Please use the support means included in your SUSE Linux Enterprise Linux subscription.
  • enzomatsumiyaenzomatsumiya New or Quiet Member
    Hi raheelqaiser2,

    This is an old and known bug.

    Most VNC systems implements their authentication using DES encryption (
    You can read more about the details on the Wikipedia link, but in short, DES limits key sizes to 8 bytes (characters). Passwords shorter than 8 are padded with zeroes.

    Some implementations allows passwords to be longer than 8 (RealVNC allows 255 for example). But then, if you connect to a server that is using the standard authentication implementation, your password will just be silently be trimmed to 8 characters, ignoring anything beyond that.

    Hope this helps.
Sign In or Register to comment.