Security experts from Kaspersky have discovered 37 vulnerabilities in four VNC implementations, some that have gone undetected since 1999.
VNC (Virtual Network Computing) is a common remote access system used for technical support, system monitoring, e-learning and other functions. An estimated 600,000 VNC systems can be accessed online.
Kaspersky found vulnerabilities in four different VNC implementations (with number of bugs found): TurboVNC (1), TightVNC (4), LibVNC (10) and UltraVNC (as many as 22).
UltraVNC is built for Windows systems and is widely used in industrial production for remote connectivity to human-machine interfaces (HMIs). In addition, LibVNC is often used in systems that allow remote connections to virtual machines and mobile devices running iOS or Android.
Kaspersky confirmed all of the vulnerabilities were related to incorrect memory usage:
“Exploiting them leads only to malfunctions and denial of service — a relatively favorable outcome. In more serious cases, attackers can gain unauthorized access to information on the device or release malware into the victim’s system.”
Although the code developers have fixed some of the bugs, not all of them have been addressed. For instance, the developers of TightVNC no longer support the first version of the VNC solution. To add, they also won’t provide any patches. Kaspersky recommmends organizations consider moving to another VNC platform.
Another risk is some of the programs may be based on open-sourced libraries with vulnerable code. Unless developers monitor closely and update code to address vulnerabilities, organizations may be at risk.
To help with mitigations, Kaspersky recommends organizations inventory and closely monitor remote access programs used in their infrastructure. In addition, VNC administrators should use strong passwords and keep VNC systems up to date.