Introduction
Virtual Network Computing also known as VNC, is defined as graphical desktop-sharing system. It is used for controlling another computer remotely, by transmitting the keyboard and mouse input from one computer to another, relaying on the graphical-screen updates, over a network. This functionality is mediated by Remote Frame Buffer protocol (RFB). VNC runs on Windows, Linux, macOS, iOS, Android and other operating systems, where it uses port 5900 or 5800. In addition, huge advantage of using VNC, is that it allows several computers from different locations access to single desktop simultaneously.
VNC versus RDP
In our last RDP blog post, we described RDP protocol with all vulnerabilities found. VNC and RDP share some similarities together:
- Direct peer-to-peer communication, from local user to the remote desktop computer device.
- Supporting software which manages users and enables secure access.
- Both providing access to remote desktop.
Also, there are some differences between them:
- VNC works across multiple operating systems, RDP has limited platform capabilities.
- RDP is faster than VNC.
- Security levels are different between these two protocols.
- VNC connects a user to the computer itself, by sharing the screen, keyboard or mouse. This leads to the fact, that users connected to the same server could see the same screen and type on the same keyboard. RDP connections works directly to the physical server and supports many users all logged into the same server.
Finding vulnerabilities
There are numerous implementations of VNC. For example, TurboVNC is implemented for remote work with graphic, 3D and video objects. UltraVNC is built specifically for Windows operating systems. It is widely used in industrial production, for connecting to a human-machine interface (HMI). Connecting to HMI is also used by TightVNC, which no longer supports the first version of the system. In 2019, there were published 37 VNC vulnerabilities, in which four of them were in this implementation. The producers refused to patch detected vulnerabilities and users had to consider moving to another VNC platform. Another common VNC system is LibVNC, which is basically a library of ready-made code snippets on which basis developers can create apps. It is also used for remote connections to virtual machines, as well as iOS and Android mobile devices. There were detected 10 bugs. More vulnerabilities (22) were found only in UltraVNC, which was mentioned before. Exploiting these vulnerabilities may lead to denial of service or malfunctions. Attackers can also release malware into victim’s system or gain unauthorized access to information.
Possible attack vectors
However, VNC system consist of client and server components, there are three main attack vectors:
- Using VNC client, user connects to an attacker’s “server” which exploits vulnerabilities in the client that allow attacker e.g., to execute arbitrary code on the user’s machine.
- To gain the ability to execute code on the server with the server’s privileges, an attacker must be connected to the same network where the VNC server is located.
- Version of VNC, which is provided by the attackers with malicious functionality implemented inside. It could be distributed from various unofficial web sources, as a full enterprise version of some VNC software for free.
Most vulnerabilities are found on the client’s side because the client components include implementation, that decodes data sent by the server. The result of this are often vulnerabilities caused by memory corruption. On the other hand, server’s part functionality is much simpler, which reduces number of errors. Additional functionality for server’s part is provided by extensions, which create the critical part of whole server’s implementation and that is the place, where the majority of errors appear.
Table of known VNC vulnerabilities since 2019
| CVE – NAME | Specific implementation | CVSS 3.0 Base Score | Source | Published Date |
|---|---|---|---|---|
| CVE-2019-15681 | LibVNC | 7.5 HIGH
|
Kaspersky Labs | 10/29/2019 |
| CVE-2019-15691 | TigerVNC | 7.2 HIGH
|
Kaspersky Labs | 12/26/2019 |
| CVE-2019-15692 | TigerVNC | 7.2 HIGH
|
Kaspersky Labs | 12/26/2019 |
| CVE-2019-15693 | TigerVNC | 7.2 HIGH
|
Kaspersky Labs | 12/26/2019 |
| CVE-2019-15694 | TigerVNC | 7.2 HIGH
|
Kaspersky Labs | 12/26/2019 |
| CVE-2019-15695 | TigerVNC | 7.2 HIGH
|
Kaspersky Labs | 12/26/2019 |
| CVE-2019-17662 | ThinVNC | 9.8 CRITICAL
|
MITRE | 10/16/2019 |
| CVE-2019-1895 | NFVIS | 9.8 CRITICAL
|
Cisco Systems, Inc. | 08/07/2019 |
| CVE-2019-20382 | QEMU | 3.5 LOW
|
MITRE | 03/05/2020 |
| CVE-2019-8258 | UltraVNC | 9.8 CRITICAL
|
Kaspersky Labs | 03/05/2019 |
| CVE-2019-8259 | UltraVNC | 7.5 HIGH
|
Kaspersky Labs | 03/05/2019 |
| CVE-2019-8260 | UltraVNC | 9.8 CRITICAL
|
Kaspersky Labs | 03/05/2019 |
| CVE-2019-8261 | UltraVNC | 9.8 CRITICAL
|
Kaspersky Labs | 03/05/2019 |
| CVE-2019-8262 | UltraVNC | 9.8 CRITICAL
|
Kaspersky Labs | 03/05/2019 |
| CVE-2019-8263 | UltraVNC | 6.5 MEDIUM
|
Kaspersky Labs | 03/05/2019 |
| CVE-2019-8264 | UltraVNC | 9.8 CRITICAL
|
Kaspersky Labs | 03/08/2019 |
| CVE-2019-8265 | UltraVNC | 9.8 CRITICAL
|
Kaspersky Labs | 03/08/2019 |
| CVE-2019-8266 | UltraVNC | 9.8 CRITICAL
|
Kaspersky Labs | 03/08/2019 |
| CVE-2019-8267 | UltraVNC | 7.5 HIGH
|
Kaspersky Labs | 03/08/2019 |
| CVE-2019-8268 | UltraVNC | 9.8 CRITICAL
|
Kaspersky Labs | 03/08/2019 |
| CVE-2019-8269 | UltraVNC | 7.5 HIGH
|
Kaspersky Labs | 03/08/2019 |
| CVE-2019-8270 | UltraVNC | 7.5 HIGH
|
Kaspersky Labs | 03/08/2019 |
| CVE-2019-8271 | UltraVNC | 9.8 CRITICAL
|
Kaspersky Labs | 03/08/2019 |
| CVE-2019-8272 | UltraVNC | 9.8 CRITICAL
|
Kaspersky Labs | 03/08/2019 |
| CVE-2019-8273 | UltraVNC | 9.8 CRITICAL
|
Kaspersky Labs | 03/08/2019 |
| CVE-2019-8274 | UltraVNC | 9.8 CRITICAL
|
Kaspersky Labs | 03/08/2019 |
| CVE-2019-8275 | UltraVNC | 9.8 CRITICAL
|
Kaspersky Labs | 03/08/2019 |
| CVE-2019-8276 | UltraVNC | 7.5 HIGH
|
Kaspersky Labs | 03/08/2019 |
| CVE-2019-8277 | UltraVNC | 7.5 HIGH
|
Kaspersky Labs | 03/08/2019 |
| CVE-2019-8280 | UltraVNC | 9.8 CRITICAL
|
Kaspersky Labs | 03/08/2019 |
| CVE-2020-25708 | libvncserver-0.9.12 | 7.5 HIGH
|
Red Hat, Inc. | 11/27/2020 |
| CVE-2020-29480 | Xen through 4.14.x | 2.3 LOW
|
MITRE | 12/15/2020 |
| CVE-2021-20590 | VNC servers | 7.5 HIGH
|
JPCERT/CC | 04/22/2021 |
| CVE-2021-41380 | RealVNC | 6.5 MEDIUM
|
MITRE | 09/17/2021 |
| CVE-2021-42785 | TightVNC | 9.8 CRITICAL
|
GovTech CSG | 11/23/2021 |
| CVE-2022-24422 | VNC Console | 9.6 CRITICAL
|
Dell | 05/26/2022 |
| CVE-2022-25226 | ThinVNC | 10.0 CRITICAL
|
Fluid Attacks | 04/13/2022 |
| CVE-2022-25227 | Thinfinity VNC | 8.8 HIGH
|
Fluid Attacks | 05/20/2022 |
| CVE-2022-27502 | RealVNC | 7.8 HIGH
|
MITRE | 06/10/2022 |
| CVE-2022-3165 | QEMU VNC server | 6.5 MEDIUM
|
Red Hat, Inc. | 10/17/2022 |
| CVE-2022-36436 | VNCAuthProxy | 9.8 CRITICAL
|
MITRE | 09/14/2022 |
| CVE-2022-41975 | RealVNC | 7.8 HIGH
|
MITRE | 09/30/2022 |
Secure configuration on RealVNC
- First of all, passwords. It is a must, to choose unique and complex password. It is possible to use password managers and generators for creating and storing hashed authentication data, so there is no need to reuse passwords.
- Security page of RealVNC account provides Two-Factor Authentication (2FA), which is highly recommended.
- Sharing remote access with other people through RealVNC could be configured by these three steps:
- General page – everyone is required to use 2FA.
- People page – invite only trusted people into the team.
- Computers page – discovery permissions restricted appropriately.
- Connection audit logs should be Reviewed on a regular basis.
- Every remote computer should have configure:
- Connection approval should be turned on, if the owner is physically present.
- Screen blanking should be turned on, if the remote computer is running on Windows.
- VNC Server has something called DisconnectAction parameter, which should be used for locking or logging out the remote desktop, when last user disconnects.
- Enable 2FA/MFA for VNC Server.
- VNC Server should be installed in secure locations, for example C:/Program Files.
- Update notification are recommended to be turned on.
- Session permissions should be appropriately restricted.
- Server BlacklistThreshold parameter is used for lowering unsuccessful authentication attempts.
- Enterprise edition of RealVNC also supports 256-bit AES encryption. This is possible by setting the Server Encryption parameter to AlwaysMaximum.
- By lowering the VNC Server IdleTimeout, early disconnections of idle sessions are configured.
- Setting the VNC Server AllowIpListenRfb parameter to FALSE, should turn off direct connectivity. Existing direct connections are not terminated.
Conclusion
In conclusion, VNC refers to an easy-to-use tool, for connecting to a remote desktop device. It is clear, that there are more unrevealed vulnerabilities yet, but the secure configuration should be implemented anyway. Attackers will always find a way, how to knock on someone’s door and they will keep knocking patiently, with more sophisticated attacks, until they get inside. It is up to administrators, to be prepared and always update and patch their systems, including VNC software.
Sources
- https://www.kaspersky.com/blog/vnc-vulnerabilities/31462/
- https://www.skywaywest.com/2021/05/what-is-exposed-vnc-why-is-it-a-risk-an-how-can-you-mitigate-that-risk/
- https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=656066
- https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=vnc
- https://ics-cert.kaspersky.com/publications/reports/2019/11/22/vnc-vulnerability-research/
- https://help.realvnc.com/hc/en-us/articles/360002253278-Setting-up-VNC-Connect-for-Maximum-Security-
- https://www.realvnc.com/en/blog/vnc-vs-rdp-which-remote-desktop-tool-is-best/