Security Experts:

Connect with us

Hi, what are you looking for?



Dozens of Vulnerabilities Found in Open Source VNC Systems

Kaspersky researchers have identified dozens of vulnerabilities in four popular open source virtual network computing (VNC) systems, but fortunately the majority of them have been patched.

Kaspersky researchers have identified dozens of vulnerabilities in four popular open source virtual network computing (VNC) systems, but fortunately the majority of them have been patched.

VNC systems use the remote frame buffer (RFB) protocol to allow users to remotely control a device. According to Kaspersky, VNC is often used in industrial environments and many manufacturers of industrial control systems (ICS) use VNC to add remote administration capabilities to their products.

Kaspersky has analyzed four widely used open source VNC systems, including LibVNC, UltraVNC, TightVNC and TurboVNC. The cybersecurity firm says UltraVNC and TightVNC are often recommended by industrial automation system vendors for connecting to human-machine interfaces (HMIs).

A total of 37 CVE identifiers have been assigned to the vulnerabilities found by Kaspersky in server and client software. Some of the flaws can be exploited for remote code execution, allowing the attacker to make changes to the targeted system. Over 20 of the security bugs were identified in UltraVNC.

In some cases, the security firm noted, the flaws found as part of this research project were variations of previously identified weaknesses.

The server-side vulnerabilities can be exploited by an attacker who is on the same network as the targeted VNC server. However, there are over 600,000 servers directly accessible from the internet, according to data from Shodan.

The client-side weaknesses can be exploited when the user connects to a server controlled by the attacker using a vulnerable VNC client.

Most of the 37 vulnerabilities have been patched. In the case of TightVNC, however, TightVNC 1.X has been discontinued and package maintainers have not released any fixes, despite being notified in January 2019.

Kaspersky pointed out that while some of these vulnerabilities can pose a serious risk, particularly in the case of industrial systems, exploitation of the server-side bugs in many cases requires authentication, and the software may be designed not to allow authentication without a password. This means that setting a strong password on the server can prevent many attacks. On the client side, the best defense is to ensure that users don’t connect to untrusted VNC servers.

“I was surprised to see the simplicity of discovered vulnerabilities, especially considering their significant lifetime,” said Pavel Cheremushkin, a researcher at Kaspersky ICS CERT. “This means that attackers could have noticed and taken advantage of the vulnerabilities a long time ago. Moreover, some classes of vulnerabilities are present in many open-source projects and remain there even after refactoring of the codebase, which included vulnerable code.”

Technical details are available on Kaspersky’s ICS-CERT website.

Related: Open Source Vulnerabilities: Are You Prepared to Run the Race?

Related: New GitHub Security Lab Aims to Secure Open Source Software

Related: Flaws in Open Source Components Pose Increasing Risk to Apps

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...