Kaspersky researchers have identified dozens of vulnerabilities in four popular open source virtual network computing (VNC) systems, but fortunately the majority of them have been patched.
VNC systems use the remote frame buffer (RFB) protocol to allow users to remotely control a device. According to Kaspersky, VNC is often used in industrial environments and many manufacturers of industrial control systems (ICS) use VNC to add remote administration capabilities to their products.
Kaspersky has analyzed four widely used open source VNC systems, including LibVNC, UltraVNC, TightVNC and TurboVNC. The cybersecurity firm says UltraVNC and TightVNC are often recommended by industrial automation system vendors for connecting to human-machine interfaces (HMIs).
A total of 37 CVE identifiers have been assigned to the vulnerabilities found by Kaspersky in server and client software. Some of the flaws can be exploited for remote code execution, allowing the attacker to make changes to the targeted system. Over 20 of the security bugs were identified in UltraVNC.
In some cases, the security firm noted, the flaws found as part of this research project were variations of previously identified weaknesses.
The server-side vulnerabilities can be exploited by an attacker who is on the same network as the targeted VNC server. However, there are over 600,000 servers directly accessible from the internet, according to data from Shodan.
The client-side weaknesses can be exploited when the user connects to a server controlled by the attacker using a vulnerable VNC client.
Most of the 37 vulnerabilities have been patched. In the case of TightVNC, however, TightVNC 1.X has been discontinued and package maintainers have not released any fixes, despite being notified in January 2019.
Kaspersky pointed out that while some of these vulnerabilities can pose a serious risk, particularly in the case of industrial systems, exploitation of the server-side bugs in many cases requires authentication, and the software may be designed not to allow authentication without a password. This means that setting a strong password on the server can prevent many attacks. On the client side, the best defense is to ensure that users don’t connect to untrusted VNC servers.
“I was surprised to see the simplicity of discovered vulnerabilities, especially considering their significant lifetime,” said Pavel Cheremushkin, a researcher at Kaspersky ICS CERT. “This means that attackers could have noticed and taken advantage of the vulnerabilities a long time ago. Moreover, some classes of vulnerabilities are present in many open-source projects and remain there even after refactoring of the codebase, which included vulnerable code.”
Technical details are available on Kaspersky’s ICS-CERT website.