Four popular open-source VNC remote desktop applications have been found vulnerable to a total of 37 security vulnerabilities, many of which went unnoticed for the last 20 years and most severe could allow remote attackers to compromise a targeted system.
VNC (virtual network computing) is an open source graphical desktop sharing protocol based on RFB (Remote FrameBuffer) that allows users to remotely control another computer, similar to Microsoft’s RDP service.
The implementation of the VNC system includes a “server component,” which runs on the computer sharing its desktop, and a “client component,” which runs on the computer that will access the shared desktop.
In other words, VNC allows you to use your mouse and keyboard to work on a remote computer as if you are sitting in front of it.
There are numerous VNC applications, both free and commercial, compatible with widely used operating systems like Linux, macOS, Windows, and Android.
Considering that there are currently over 600,000 VNC servers accessible remotely over the Internet and nearly 32% of which are connected to industrial automation systems, cybersecurity researchers at Kaspersky audited four widely used open source implementation of VNC, including:
- LibVNC
- UltraVNC
- TightVNC 1.x
- TurboVNC
After analyzing these VNC software, researchers found a total of 37 new memory corruption vulnerabilities in client and server software: 22 of which were found in UltraVNC, 10 in LibVNC, 4 in TightVNC, just 1 in TurboVNC.
“All of the bugs are linked to incorrect memory usage. Exploiting them leads only to malfunctions and denial of service — a relatively favorable outcome,” Kaspersky says. “In more serious cases, attackers can gain unauthorized access to information on the device or release malware into the victim’s system.
Some of the discovered security vulnerabilities can also lead to remote code execution (RCE) attacks, meaning an attacker could exploit these flaws to run arbitrary code on the targeted system and gain control over it.
Since the client-side app receives more data and contains data decoding components where developers often make errors while programming, most of the vulnerabilities affect the client-side version of these software.
On the other hand, the server-side relatively contains a small code base with almost no complex functionality, which reduces the chances of memory-corruption vulnerabilities.
However, the team discovered some exploitable server-side bugs, including a stack buffer overflow flaw in the TurboVNC server that makes it possible to achieve remote code execution on the server.
But, exploiting this flaw requires authentication credentials to connect to the VNC server or control over the client before the connection is established.
Therefore, as a safeguard against attacks exploiting server-side vulnerabilities, clients are recommended not to connect to untrusted or untested VNC servers, and administrators are required to protect their VNC servers with a unique, strong password.
Kaspersky reported the vulnerabilities to the affected developers, all of which have issued patches for their supported products, except TightVNC 1.x that is no longer supported by its creators. So, users are recommended to switch to version 2.x.