Remote access is convenient and at times indispensable. The downside is that it can provide an entry point into your corporate infrastructure for intruders, especially if the remote access tools you use are vulnerable.

VNC vulnerabilities

Our ICS CERT studied several VNC (Virtual Network Computing) implementations. VNC is a common remote access system widely employed for technical support, equipment monitoring, distance learning, and other purposes. These implementations were found to contain a total of 37 vulnerabilities, some of which had gone unnoticed since 1999.

It is difficult to put a precise figure on the number of devices that use VNC systems, but judging by data from the Shodan search engine, more than 600,000 VNC servers can be accessed online. The actual figure is likely to be far higher.

Where we found the vulnerabilities

Our experts looked at four common open-source VNC implementations:

LibVNC — a library, that is, a set of ready-made code snippets on which basis developers can create apps; LibVNC is used, for example, in systems that allow remote connections to virtual machines, as well as iOS and Android mobile devices.

TightVNC 1.X — an application recommended by vendors of industrial automation systems for connecting to a human–machine interface (HMI).

TurboVNC — a VNC implementation for remote work with graphic, 3D, and video objects.

UltraVNC — a VNC variant built specifically for Windows; it is also widely used in industrial production for connecting to HMIs.

Bugs were detected in all four systems: one in TurboVNC, four in TightVNC, ten in LibVNC, and as many as 22 in UltraVNC.

What the vulnerabilities are and how they can be exploited

VNC applications consist of two parts: a server installed on the computer to which your employee connects remotely, and a client running on the device from which it connects. Vulnerabilities are far less common on the server side, which is usually somewhat simpler and therefore has fewer bugs. Nevertheless, our CERT experts found flaws in both parts of the applications under investigation, although an attack on the server in many cases would be impossible without authorization.

All of the bugs are linked to incorrect memory usage. Exploiting them leads only to malfunctions and denial of service — a relatively favorable outcome. In more serious cases, attackers can gain unauthorized access to information on the device or release malware into the victim’s system.

Some vulnerabilities fixed, but not all

Our CERT folks reported the bugs to the developers of the respective libraries and applications. Most of them have been fixed already. Alas, there is an exception: The creators of TightVNC no longer support the first version of their system, and they refused to patch the vulnerabilities detected in it. This is a weighty reason to consider moving to another VNC platform.

What’s more, as in many open-source projects, vulnerable code gets used in a large number of other developments, and not all developers keep close tabs on library updates from which they borrowed snippets for their creations. Such programs will remain vulnerable until their creators update the code, which, we regret to say, may never happen.

What action should businesses take?

The list of vulnerabilities with technical details can be found in the report published on the Kaspersky ICS CERT website. Although our colleagues’ focus was on the use of VNC in industrial enterprises, the threats are relevant to any business that deploys this technology.

To prevent cybercriminals from exploiting these vulnerabilities against you, we recommend that you monitor remote access programs in your infrastructure.