Um novo relatório Kaspersky revela que quatro comum, open-source VNC (Virtual Network Computing) remoto aplicativos de desktop contêm 37 vulnerabilidades que poderiam permitir ataques remotos.
Quatro aplicativos VNC open-source comum contêm 37 vulnerabilidades
The issue with desktop apps is that they can provide an entry point into a company’s infrastructure, which becomes even easier if the remote access tools are vulnerable, the researchers pointed out in their report.
Knowing these risks, the researchers decided to look into four common open-source VNC apps:
- LibVNC — a library, isso é, a set of ready-made code snippets on which basis developers can create apps; LibVNC is used, por exemplo, in systems that allow remote connections to virtual machines, as well as iOS and Android mobile devices.
- TightVNC 1.X — an application recommended by vendors of industrial automation systems for connecting to a human–machine interface (HMI).
- TurboVNC — a VNC implementation for remote work with graphic, 3D, and video objects.
- UltraVNC — a VNC variant built specifically for Windows; it is also widely used in industrial production for connecting to HMIs.
não é de surpreender, the experts discovered vulnerabilities in all four implementations. One vulnerability was discovered in TurboVNC, four in TightVNC, ten in LibVNC, e 22 in UlraVNC, which makes the total of 37 vulnerabilidades.
All the issues stem from incorrect memory usage, and their exploitation could lead to malfunctions and denial-of-service attacks. Contudo, in a worse scenario, attackers could be able to gain unauthorized access to information on the system, or even drop malware.
The bugs were reported to the developers of the respective software libraries and apps, and most of them have already been fixed. Contudo, the developers of TightVNC don’t support the first version of their system anymore, and hence they didn’t fix the vulnerabilities. “This is a weighty reason to consider moving to another VNC platform,”Disseram os pesquisadores.
Additional trouble may come from the fact that vulnerable code is used in many open-source projects, and not all developers implement library updates. Such apps will remain vulnerable unless their developers update the vulnerable code, which may not happen at all.
More information about the vulnerabilities is available in Kaspersky’s ICS CERT report.
Although the focus of the research was on the use of VNC in industrial enterprises, the threats are relevant to any business that deploys this technology, Kaspersky noted.