37 critical vulnerabilities found in VNC solutions. Patches now available

These are bad news for software programmers worldwide. Vulnerability testing researchers report the finding of 37 security flaws affecting four major implementations of Virtual Network Computing (VNC) open source software.

Pavel Cheremushkin, researcher at Kaspersky Labs, was responsible for finding the vulnerabilities in LibVNC, TightVNC 1.x, TurboVNC and UltraVNC products. In his report, the expert specified that RealVNC, probably the most popular implementation of this software, was not subjected to analysis since it does not allow reverse engineering.

The scope of the vulnerabilities is wide, as these systems can be run on a wide variety of operating systems, including the most popular ones, such as Windows, Linux, macOS, iOS and Android.

According to vulnerability testing experts, a VNC implementation consists of two parts: client and server. Its composition allows VNC users to remotely access a machine running a VNC server with the help of a client using an RFB protocol for on-screen image transmission, mouse movement, and keyboard logs.

In his report, the expert mentions that he discovered more than 600,000 VNC servers accessible remotely over the public Internet using Shodan. Apparently all vulnerabilities reported by Cheremushkin have to do with misuse of memory and their exploitation leads to conditions of denial of service (DoS), malfunction, unauthorized access to user information and even execution of malicious code on the target system.

Most security flaws have already been fixed, although there are cases where no security patches have been released so far. One such case is that of TightVNC 1.x, as its developers consider it unnecessary to release patches for the first version of the software, which has ceased to receive support for the TightVNC system.

In short, the vulnerabilities found by the vulnerability testing expert are:

  • LibVNC: Buffer overflows were discovered in the LibVNC library that could allow a hacker to bypass some security measures to execute code remotely on the client side
  • ThightVNC: A pointer dereference was found that leads to denial of service (DoS) states and buffer overflows that could allow remote code execution
  • TurboVNC: A buffer overflow vulnerability exists on the TurboVNC server that could allow remote code execution. This attack requires authorization on the server or control over the client before starting the connection
  • UltraVNC: This is the implementation where the expert discovered the most flaws, from buffer overflows to uncommon and exploitable vulnerabilities in the wild. The most prominent finding is a vulnerability that leads to DoS conditions and, in other cases, remote code execution

Although some flaws were of considerable severity, it is not all bad news, as Cheremushkin adds that an attacker needs to be authenticated to exploit any of the discovered vulnerabilities on the server side, so it is widely mitigates the risk of exploitation.

Specialists in vulnerability testing at the International Institute of Cyber Security (IICS) mention that a possible protective measure for customers is to avoid connecting to unknown VNC servers; In addition, administrators could configure server-side authentication to prevent exploits from that vector.