Security Experts:

Connect with us

Hi, what are you looking for?



Dozens of Vulnerabilities Found in Open Source VNC Systems

Kaspersky researchers have identified dozens of vulnerabilities in four popular open source virtual network computing (VNC) systems, but fortunately the majority of them have been patched.

Kaspersky researchers have identified dozens of vulnerabilities in four popular open source virtual network computing (VNC) systems, but fortunately the majority of them have been patched.

VNC systems use the remote frame buffer (RFB) protocol to allow users to remotely control a device. According to Kaspersky, VNC is often used in industrial environments and many manufacturers of industrial control systems (ICS) use VNC to add remote administration capabilities to their products.

Kaspersky has analyzed four widely used open source VNC systems, including LibVNC, UltraVNC, TightVNC and TurboVNC. The cybersecurity firm says UltraVNC and TightVNC are often recommended by industrial automation system vendors for connecting to human-machine interfaces (HMIs).

A total of 37 CVE identifiers have been assigned to the vulnerabilities found by Kaspersky in server and client software. Some of the flaws can be exploited for remote code execution, allowing the attacker to make changes to the targeted system. Over 20 of the security bugs were identified in UltraVNC.

In some cases, the security firm noted, the flaws found as part of this research project were variations of previously identified weaknesses.

The server-side vulnerabilities can be exploited by an attacker who is on the same network as the targeted VNC server. However, there are over 600,000 servers directly accessible from the internet, according to data from Shodan.

The client-side weaknesses can be exploited when the user connects to a server controlled by the attacker using a vulnerable VNC client.

Most of the 37 vulnerabilities have been patched. In the case of TightVNC, however, TightVNC 1.X has been discontinued and package maintainers have not released any fixes, despite being notified in January 2019.

Kaspersky pointed out that while some of these vulnerabilities can pose a serious risk, particularly in the case of industrial systems, exploitation of the server-side bugs in many cases requires authentication, and the software may be designed not to allow authentication without a password. This means that setting a strong password on the server can prevent many attacks. On the client side, the best defense is to ensure that users don’t connect to untrusted VNC servers.

“I was surprised to see the simplicity of discovered vulnerabilities, especially considering their significant lifetime,” said Pavel Cheremushkin, a researcher at Kaspersky ICS CERT. “This means that attackers could have noticed and taken advantage of the vulnerabilities a long time ago. Moreover, some classes of vulnerabilities are present in many open-source projects and remain there even after refactoring of the codebase, which included vulnerable code.”

Technical details are available on Kaspersky’s ICS-CERT website.

Related: Open Source Vulnerabilities: Are You Prepared to Run the Race?

Related: New GitHub Security Lab Aims to Secure Open Source Software

Related: Flaws in Open Source Components Pose Increasing Risk to Apps

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.