Skip to main content
Topic: VNC Vulnerabilties (Read 930 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

VNC Vulnerabilties

https://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/

I would never usually post security information but in this case, folks use vnc FOR security so... there it is.


Dozens of VNC Vulnerabilities Found in Linux, Windows Solutions
By Sergiu Gatlan

    November 22, 2019 03:55 PM 0

Dozens of VNC Vulnerabilities Found in Linux, Windows Solutions

Researchers found a total of 37 security vulnerabilities impacting four open-source Virtual Network Computing (VNC) implementations and present for the last 20 years, since 1999.

The flaws were found in LibVNC, TightVNC 1.X, TurboVNC, and UltraVNC VNC solutions examined by Kaspersky's Industrial Systems Emergency Response Team (ICS CERT) security researcher Pavel Cheremushkin — the highly popular RealVNC as not analyzed because it did not allow reverse engineering.

These VNC systems can be used on a wide range of operating systems including but not limited to Windows, Linux, macOS, iOS, and Android.

A VNC implementation consists of two parts, a client and a server, allowing the users to remotely access a machine running the VNC server with the help of a VNC client using the RFB protocol to transmit "screen images, mouse movement and keypress events".

You can find more details about VNC implementations analyzed by Cheremushkin below:

        LibVNC – an open-source cross-platform library for creating a custom application based on the RFB protocol. The server component of LibVNC is used, for example, in VirtualBox to provide access to the virtual machine via VNC.
        UltraVNC – a popular open-source VNC implementation developed specifically for Windows. Recommended by many industrial automation companies for connecting to remote HMI interfaces over the RFB protocol.
        TightVNC 1.X – one more popular implementation of the RFB protocol. Recommended by many industrial automation system vendors for connecting to HMI interfaces from *nix machines.
        TurboVNC – an open-source VNC implementation. Uses the libjpeg-turbo library to compress JPEG images in order to accelerate image transfer.

Over 600,000 VNC servers potentially exposed

Based on this information, Kaspersky's ICS CERT researcher discovered over 600,000 VNC servers that can be accessed remotely over the Internet based on the info collected using the Shodan search engine for Internet-connected devices — this estimation doesn't cover the VNC servers running on local area networks.

The VNC security flaws Cheremushkin found are all caused by incorrect memory usage, with attacks exploiting them leading to denial of service states, malfunctions, as well as unauthorized access to the users' info and the option to run malicious code on a target's device.

"Although our colleagues’ focus was on the use of VNC in industrial enterprises, the threats are relevant to any business that deploys this technology," the Kaspersky report adds.

While most of the VNC memory corruption vulnerabilities disclosed by the researchers to the development teams were fixed, in some cases they haven't been addressed to this day.

This is the case of TightVNC 1.X, whose developers said that they won't fix the found security issues since the software's first version is "no longer support the first version of their system [..]." They currently maintain the TightVNC 2.X commercial product.
Bugs found in VNC solutions

Cheremushkin found heap-based buffer overflows in the LibVNC library that could potentially allow attackers "to bypass ASLR and use overflow to achieve remote code execution on the client."

TightVNC came with a null pointer dereference leading to Denial of System (DoS) states, as well as two heap buffer overflows and a global buffer overflow that could lead to remote code execution. As already mentioned above, these security issues will not be fixed.

A stack buffer overflow vulnerability was discovered in the TurboVNC server the might lead to remote code execution, although it requires authorization on the server or control over the VNC client before the connection.

When it comes to UltraVNC, the researcher says that he was able to discover "an entire 'zoo' of vulnerabilities in UltraVNC – from trivial buffer overflows in strcpy and sprintf to more or less curious vulnerabilities that can rarely be encountered in real-world projects."

Out of all UltraVNC flaws he spotted, the buffer underflow one tracked as CVE-2018-15361 that can trigger a DoS in 100% of attacks but can also be used for remote code execution. The CVE-2019-8262 one is assigned to multiple heap buffer overflow vulnerabilities that can result in remote code execution.

The full list of discovered VNC vulnerabilities found by Kaspersky's Pavel Cheremushkin are listed in the table below:
VNC implementation    Vulnerabilities
LibVNC    

    CVE-2018-6307
    CVE-2018-15126
    CVE-2018-15127
    CVE-2018-20019
    CVE-2018-20020
    CVE-2018-20021
    CVE-2018-20022
    CVE-2018-20023
    CVE-2018-20024
    CVE-2019-15681

TightVNC 1.X    

    CVE-2019-8287
    CVE-2019-15678
    CVE-2019-15679
    CVE-2019-15680

TurboVNC    

    CVE-2019-15683

UltraVNC    

    CVE-2018-15361
    CVE-2019-8258
    CVE-2019-8259
    CVE-2019-8260
    CVE-2019-8261
    CVE-2019-8262
    CVE-2019-8263
    CVE-2019-8264
    CVE-2019-8265
    CVE-2019-8266
    CVE-2019-8267
    CVE-2019-8268
    CVE-2019-8269
    CVE-2019-8270
    CVE-2019-8271
    CVE-2019-8272
    CVE-2019-8273
    CVE-2019-8274
    CVE-2019-8275
    CVE-2019-8276
    CVE-2019-8277
    CVE-2019-8280

"On the positive side, password authentication is often required to exploit server-side vulnerabilities, and the server may not allow users to configure a password-free authentication method for security reasons. This is the case, for example, with UltraVNC," Cheremushkin concluded.

'As a safeguard against attacks, clients should not connect to unknown VNC servers and administrators should configure authentication on the server using a unique strong password."

Kaspersky provides the following recommendations to block attackers from exploiting these VNC security flaws:
• Check which devices can connect remotely, and block remote connections if not required.
• Inventory all remote access applications — not just VNC — and check that their versions are up-to-date. If you have doubts about their reliability, stop using them. If you intend to continue deploying them, be sure to upgrade to the latest version.
• Protect your VNC servers with a strong password. This will make attacking them far harder.
• Do not connect to untrusted or untested VNC servers.

Further information and more details on the VNC vulnerabilities discovered by Cheremushkin are available in the full VNC vulnerability research report available on the Kaspersky Lab ICS CERT website
Related Articles:

Microsoft Office December Security Updates Fix Remote Execution Bugs

New Linux Vulnerability Lets Attackers Hijack VPN Connections

Intel Patched 77 Vulnerabilities in November 2019 Platform Update

Microsoft Warns of More Harmful Windows BlueKeep Attacks, Patch Now

Intel Patches Plundervolt, High Severity Issues in Platform Update