Dozens of Severe Flaws Found in 4 Popular Open Source VNC Software

Four popular open-source VNC remote desktop applications have been found vulnerable to a total of 37 security vulnerabilities, many of which went unnoticed for the last 20 years and most severe could allow remote attackers to compromise a targeted system.

VNC (virtual network computing) is an open source graphical desktop sharing protocol based on RFB (Remote FrameBuffer) that allows users to remotely control another computer, similar to Microsoft’s RDP service.

The implementation of the VNC system includes a “server component,” which runs on the computer sharing its desktop, and a “client component,” which runs on the computer that will access the shared desktop.

In other words, VNC allows you to use your mouse and keyboard to work on a remote computer as if you are sitting in front of it.

There are numerous VNC applications, both free and commercial, compatible with widely used operating systems like Linux, macOS, Windows, and Android.

Considering that there are currently over 600,000 VNC servers accessible remotely over the Internet and nearly 32% of which are connected to industrial automation systems, cybersecurity researchers at Kaspersky audited four widely used open source implementation of VNC, including:

  • LibVNC
  • UltraVNC
  • TightVNC 1.x
  • TurboVNC

After analyzing these VNC software, researchers found a total of 37 new memory corruption vulnerabilities in client and server software: 22 of which were found in UltraVNC, 10 in LibVNC, 4 in TightVNC, just 1 in TurboVNC.

“All of the bugs are linked to incorrect memory usage. Exploiting them leads only to malfunctions and denial of service — a relatively favorable outcome,” Kaspersky says. “In more serious cases, attackers can gain unauthorized access to information on the device or release malware into the victim’s system.

Some of the discovered security vulnerabilities can also lead to remote code execution (RCE) attacks, meaning an attacker could exploit these flaws to run arbitrary code on the targeted system and gain control over it.

Since the client-side app receives more data and contains data decoding components where developers often make errors while programming, most of the vulnerabilities affect the client-side version of these software.

On the other hand, the server-side relatively contains a small code base with almost no complex functionality, which reduces the chances of memory-corruption vulnerabilities.

However, the team discovered some exploitable server-side bugs, including a stack buffer overflow flaw in the TurboVNC server that makes it possible to achieve remote code execution on the server.

But, exploiting this flaw requires authentication credentials to connect to the VNC server or control over the client before the connection is established.

Therefore, as a safeguard against attacks exploiting server-side vulnerabilities, clients are recommended not to connect to untrusted or untested VNC servers, and administrators are required to protect their VNC servers with a unique, strong password.

Kaspersky reported the vulnerabilities to the affected developers, all of which have issued patches for their supported products, except TightVNC 1.x that is no longer supported by its creators. So, users are recommended to switch to version 2.x.

What action should businesses take?

The list of vulnerabilities with technical details can be found in the report published on the Kaspersky ICS CERT website. Although our colleagues’ focus was on the use of VNC in industrial enterprises, the threats are relevant to any business that deploys this technology.

To prevent cybercriminals from exploiting these vulnerabilities against you, we recommend that you monitor remote access programs in your infrastructure.

  • Check which devices can connect remotely, and block remote connections if not required.
  • Inventory all remote access applications — not just VNC — and check that their versions are up-to-date. If you have doubts about their reliability, stop using them. If you intend to continue deploying them, be sure to upgrade to the latest version.
  • Protect your VNC servers with a strong password. This will make attacking them far harder.
  • Do not connect to untrusted or untested VNC servers.
  • In industrial enterprise environments, use a specialized security solution for industrial automation systems, for example, Kaspersky Industrial CyberSecurity.

By Swati Khandelwal