Four popular open-source VNC remote desktop applications have been found vulnerable to a total of 37 security vulnerabilities, many of which went unnoticed for the last 20 years and most severe could allow remote attackers to compromise a targeted system.
VNC (virtual network computing) is an open source graphical desktop sharing protocol based on RFB (Remote FrameBuffer) that allows users to remotely control another computer, similar to Microsoft’s RDP service.
The implementation of the VNC system includes a “server component,” which runs on the computer sharing its desktop, and a “client component,” which runs on the computer that will access the shared desktop.
In other words, VNC allows you to use your mouse and keyboard to work on a remote computer as if you are sitting in front of it.
There are numerous VNC applications, both free and commercial, compatible with widely used operating systems like Linux, macOS, Windows, and Android.
Considering that there are currently over 600,000 VNC servers accessible remotely over the Internet and nearly 32% of which are connected to industrial automation systems, cybersecurity researchers at Kaspersky audited four widely used open source implementation of VNC, including:
- TightVNC 1.x
After analyzing these VNC software, researchers found a total of 37 new memory corruption vulnerabilities in client and server software: 22 of which were found in UltraVNC, 10 in LibVNC, 4 in TightVNC, just 1 in TurboVNC.
“All of the bugs are linked to incorrect memory usage. Exploiting them leads only to malfunctions and denial of service — a relatively favorable outcome,” Kaspersky says. “In more serious cases, attackers can gain unauthorized access to information on the device or release malware into the victim’s system.
Some of the discovered security vulnerabilities can also lead to remote code execution (RCE) attacks, meaning an attacker could exploit these flaws to run arbitrary code on the targeted system and gain control over it.
Since the client-side app receives more data and contains data decoding components where developers often make errors while programming, most of the vulnerabilities affect the client-side version of these software.
images from Hacker News