These are bad news for software programmers worldwide. Vulnerability testing researchers report the finding of 37 security flaws affecting four major implementations of Virtual Network Computing (VNC) open source software.
Pavel Cheremushkin, researcher at Kaspersky
Labs, was responsible for finding the vulnerabilities in LibVNC, TightVNC 1.x,
TurboVNC and UltraVNC products. In his report, the expert specified that
RealVNC, probably the most popular implementation of this software, was not
subjected to analysis since it does not allow reverse engineering.
The scope of the vulnerabilities is wide, as
these systems can be run on a wide variety of operating systems, including the
most popular ones, such as Windows, Linux, macOS, iOS and Android.
According to vulnerability testing experts, a
VNC implementation consists of two parts: client and server. Its composition
allows VNC users to remotely access a machine running a VNC server with the
help of a client using an RFB protocol for on-screen image transmission, mouse
movement, and keyboard logs.
In his report, the expert mentions that he discovered more than 600,000 VNC servers accessible remotely over the public Internet using Shodan. Apparently all vulnerabilities reported by Cheremushkin have to do with misuse of memory and their exploitation leads to conditions of denial of service (DoS), malfunction, unauthorized access to user information and even execution of malicious code on the target system.
Most security flaws have already been fixed,
although there are cases where no security patches have been released so far.
One such case is that of TightVNC 1.x, as its developers consider it
unnecessary to release patches for the first version of the software, which has
ceased to receive support for the TightVNC system.
In short, the vulnerabilities found by the vulnerability
testing expert are:
- LibVNC:
Buffer overflows were discovered in the LibVNC library that could allow a
hacker to bypass some security measures to execute code remotely on the client
side - ThightVNC:
A pointer dereference was found that leads to denial of service (DoS) states
and buffer overflows that could allow remote code execution - TurboVNC:
A buffer overflow vulnerability exists on the TurboVNC server that could allow
remote code execution. This attack requires authorization on the server or
control over the client before starting the connection - UltraVNC:
This is the implementation where the expert discovered the most flaws, from
buffer overflows to uncommon and exploitable vulnerabilities in the wild. The
most prominent finding is a vulnerability that leads to DoS conditions and, in
other cases, remote code execution
Although some flaws were of considerable
severity, it is not all bad news, as Cheremushkin adds that an attacker needs
to be authenticated to exploit any of the discovered vulnerabilities on the
server side, so it is widely mitigates the risk of exploitation.
Specialists in vulnerability testing at the
International Institute of Cyber Security (IICS) mention that a possible
protective measure for customers is to avoid connecting to unknown VNC servers;
In addition, administrators could configure server-side authentication to
prevent exploits from that vector.
