A new Kaspersky report reveals that four common, open-source VNC (virtual network computing) remote desktop apps contain 37 vulnerabilities that could enable remote attacks.
Four common open-source VNC apps contain 37 vulnerabilities
The issue with desktop apps is that they can provide an entry point into a company’s infrastructure, which becomes even easier if the remote access tools are vulnerable, the researchers pointed out in their report.
Knowing these risks, the researchers decided to look into four common open-source VNC apps:
- LibVNC — a library, that is, a set of ready-made code snippets on which basis developers can create apps; LibVNC is used, for example, in systems that allow remote connections to virtual machines, as well as iOS and Android mobile devices.
- TightVNC 1.X — an application recommended by vendors of industrial automation systems for connecting to a human–machine interface (HMI).
- TurboVNC — a VNC implementation for remote work with graphic, 3D, and video objects.
- UltraVNC — a VNC variant built specifically for Windows; it is also widely used in industrial production for connecting to HMIs.
Not surprisingly, the experts discovered vulnerabilities in all four implementations. One vulnerability was discovered in TurboVNC, four in TightVNC, ten in LibVNC, and 22 in UlraVNC, which makes the total of 37 vulnerabilities.
All the issues stem from incorrect memory usage, and their exploitation could lead to malfunctions and denial-of-service attacks. However, in a worse scenario, attackers could be able to gain unauthorized access to information on the system, or even drop malware.
The bugs were reported to the developers of the respective software libraries and apps, and most of them have already been fixed. However, the developers of TightVNC don’t support the first version of their system anymore, and hence they didn’t fix the vulnerabilities. “This is a weighty reason to consider moving to another VNC platform,” the researchers said.
Additional trouble may come from the fact that vulnerable code is used in many open-source projects, and not all developers implement library updates. Such apps will remain vulnerable unless their developers update the vulnerable code, which may not happen at all.
More information about the vulnerabilities is available in Kaspersky’s ICS CERT report.
Although the focus of the research was on the use of VNC in industrial enterprises, the threats are relevant to any business that deploys this technology, Kaspersky noted.