Researchers at Kaspersky Lab have identified 37 vulnerabilities in popular Virtual Network Computing (VNC) applications, some of which are critical and could allow access to sensitive information, the deployment of malware, and the remote execution of arbitrary code. In the most part, the vulnerabilities could result in malfunction or denial of service although some could result in a full compromise of a vulnerable system.
VNC is a desktop sharing protocol that serves a similar purpose to Microsoft’s Remote Desktop Protocol. When connected, a user can perform tasks on the remote computer from their own. It is most commonly used in industrial environments, with an estimated 32% of industrial networked computers having VNC-based remote administration tools.
If attackers were to succeed in compromising a system, the damage that could be caused is significant and could result in production processes being severely disrupted. There are believed to be around 600,000 VNC servers which can be remotely accessed via the Internet.
VNC systems consist of two components. There is a server component that is installed on a computer to allow remote users to access the desktop, and the client component which is implemented on the computer that wants to access a shared desktop.
There are several VNC-based systems, but the researchers focused on four of the most commonly used – UltraVNC, LibVNC, TightVNC1.x, and TurboVNC. 37 memory corruption vulnerabilities were identified in both the client and server components. The majority of the vulnerabilities were in UltraVNC (22) and LibVNC (10). A further 4 were found in TightVNC1.x, and 1 in TurboVNC. Most affect the client component of the system.
While the flaws are serious, the majority can only be exploited if a user is authenticated to connect to the VNC server or has control over the client before a connection is established. It is therefore important to ensure that all VNC servers are protected with strong passwords and connections should be blocked when not required. Clients should not be allowed to connect to untrusted VNC servers.
Users of TightVNC 1.x should note that the product is no longer supported and has reached end of life, so the flaw will not be fixed. This flaw is one of the most serious as it allows remote code execution. It has been assigned a CVSS score of 9.8 out of 10.
Patches have now been released for all supported versions and users are advised to apply the patches as soon as possible to protect their systems from attack.