IS xperts studied various implementations of the Virtual Network Computing (VNC) remote access system and found many problems. In total, IS experts identified 37 vulnerabilities in popular VNC implementations.
Exploitation of some of the detected vulnerabilities leads to the remote execution of arbitrary code.
Today, the VNC system has become one of the most common due to the possibility of cross-platform implementations and an open source licens. According to Shodan alone, the number of VNC servers is more than 600,000.
Given the devices available only within local networks, it is safe to say that the total number of VNC servers used is measured in millions”, – report the researchers.
According to analysts, VNC is also actively used in industrial automation facilities. So, about 32% of computers in an industrial network have various installed tools for remote administration, including VNC.
During the course of the study, experts examined the most common VNC implementations, including LibVNC, UltraVNC, TightVNC, and TurboVNC. RealVNC was not checked, because the product license does not allow reverse engineering.
Read also: IS Specialist Discovered Critical Vulnerability in Untitled Goose Game
As a result, experts were able to identify 37 different vulnerabilities. Moreover, the researchers note that many of the problems found were “too simple” and the lifespan of each of them was very long. Some classes of vulnerabilities discovered as a result of the study contained in a large number of open-source projects and preserved even after refactoring the code base.
Almost all of the analyzed projects have no unit tests; systematic testing of security programs by means of static code analysis or fuzzing is not carried out. Due to the fact that the code is often filled with magic constants, it can be compared with a house of cards: in this unstable design, changing one constant can lead to vulnerabilities,” – experts say.
Fortunately, password authentication is often required to exploit server vulnerabilities, and for security reasons, the server may not allow the user to establish a passwordless authentication method. This is how it is, for example, implemented in UltraVNC.
Recommendations:
Researchers write that in order to protect themselves from malicious users, clients should not connect to unknown VNC servers, and administrators need to configure authentication on a server with a strong unique password.
Additionally, developers and manufacturers who use the code of third-party VNC projects in their products are recommended to:
- configure the mechanism for tracking bugs and monitor regular updates to the latest releases;
- add compilation options that complicate the exploitation of possible vulnerabilities;
- fuzzing and testing the project on all architectures for which the product is supplied;
- use sanitizers during fuzzing and at the testing stage.