Virtual Network Computing

  • piątek, lis 18, 2022
Singel-post cover image

Introduction

Virtual Network Computing also known as VNC, is defined as graphical desktop-sharing system. It is used for controlling another computer remotely, by transmitting the keyboard and mouse input from one computer to another, relaying on the graphical-screen updates, over a network. This functionality is mediated by Remote Frame Buffer protocol (RFB). VNC runs on Windows, Linux, macOS, iOS, Android and other operating systems, where it uses port 5900 or 5800. In addition, huge advantage of using VNC, is that it allows several computers from different locations access to single desktop simultaneously.

VNC versus RDP

In our last RDP blog post, we described RDP protocol with all vulnerabilities found. VNC and RDP share some similarities together:

  • Direct peer-to-peer communication, from local user to the remote desktop computer device.
  • Supporting software which manages users and enables secure access.
  • Both providing access to remote desktop.

Also, there are some differences between them:

  • VNC works across multiple operating systems, RDP has limited platform capabilities.
  • RDP is faster than VNC.
  • Security levels are different between these two protocols.
  • VNC connects a user to the computer itself, by sharing the screen, keyboard or mouse. This leads to the fact, that users connected to the same server could see the same screen and type on the same keyboard. RDP connections works directly to the physical server and supports many users all logged into the same server.

Finding vulnerabilities

There are numerous implementations of VNC. For example, TurboVNC is implemented for remote work with graphic, 3D and video objects. UltraVNC is built specifically for Windows operating systems. It is widely used in industrial production, for connecting to a human-machine interface (HMI). Connecting to HMI is also used by TightVNC, which no longer supports the first version of the system. In 2019, there were published 37 VNC vulnerabilities, in which four of them were in this implementation. The producers refused to patch detected vulnerabilities and users had to consider moving to another VNC platform. Another common VNC system is LibVNC, which is basically a library of ready-made code snippets on which basis developers can create apps. It is also used for remote connections to virtual machines, as well as iOS and Android mobile devices. There were detected 10 bugs. More vulnerabilities (22) were found only in UltraVNC, which was mentioned before. Exploiting these vulnerabilities may lead to denial of service or malfunctions. Attackers can also release malware into victim’s system or gain unauthorized access to information.

Possible attack vectors

However, VNC system consist of client and server components, there are three main attack vectors:

  • Using VNC client, user connects to an attacker’s “server” which exploits vulnerabilities in the client that allow attacker e.g., to execute arbitrary code on the user’s machine.
  • To gain the ability to execute code on the server with the server’s privileges, an attacker must be connected to the same network where the VNC server is located.
  • Version of VNC, which is provided by the attackers with malicious functionality implemented inside. It could be distributed from various unofficial web sources, as a full enterprise version of some VNC software for free.

Most vulnerabilities are found on the client’s side because the client components include implementation, that decodes data sent by the server. The result of this are often vulnerabilities caused by memory corruption. On the other hand, server’s part functionality is much simpler, which reduces number of errors. Additional functionality for server’s part is provided by extensions, which create the critical part of whole server’s implementation and that is the place, where the majority of errors appear.

Table of known VNC vulnerabilities since 2019

CVE – NAME Specific implementation CVSS 3.0 Base Score Source Published Date
CVE-2019-15681 LibVNC
7.5 HIGH
Kaspersky Labs 10/29/2019
CVE-2019-15691 TigerVNC
7.2 HIGH
Kaspersky Labs 12/26/2019
CVE-2019-15692 TigerVNC
7.2 HIGH
Kaspersky Labs 12/26/2019
CVE-2019-15693 TigerVNC
7.2 HIGH
Kaspersky Labs 12/26/2019
CVE-2019-15694 TigerVNC
7.2 HIGH
Kaspersky Labs 12/26/2019
CVE-2019-15695 TigerVNC
7.2 HIGH
Kaspersky Labs 12/26/2019
CVE-2019-17662 ThinVNC
9.8 CRITICAL
MITRE 10/16/2019
CVE-2019-1895 NFVIS
9.8 CRITICAL
Cisco Systems, Inc. 08/07/2019
CVE-2019-20382 QEMU
3.5 LOW
MITRE 03/05/2020
CVE-2019-8258 UltraVNC
9.8 CRITICAL
Kaspersky Labs 03/05/2019
CVE-2019-8259 UltraVNC
7.5 HIGH
Kaspersky Labs 03/05/2019
CVE-2019-8260 UltraVNC
9.8 CRITICAL
Kaspersky Labs 03/05/2019
CVE-2019-8261 UltraVNC
9.8 CRITICAL
Kaspersky Labs 03/05/2019
CVE-2019-8262 UltraVNC
9.8 CRITICAL
Kaspersky Labs 03/05/2019
CVE-2019-8263 UltraVNC
6.5 MEDIUM
Kaspersky Labs 03/05/2019
CVE-2019-8264 UltraVNC
9.8 CRITICAL
Kaspersky Labs 03/08/2019
CVE-2019-8265 UltraVNC
9.8 CRITICAL
Kaspersky Labs 03/08/2019
CVE-2019-8266 UltraVNC
9.8 CRITICAL
Kaspersky Labs 03/08/2019
CVE-2019-8267 UltraVNC
7.5 HIGH
Kaspersky Labs 03/08/2019
CVE-2019-8268 UltraVNC
9.8 CRITICAL
Kaspersky Labs 03/08/2019
CVE-2019-8269 UltraVNC
7.5 HIGH
Kaspersky Labs 03/08/2019
CVE-2019-8270 UltraVNC
7.5 HIGH
Kaspersky Labs 03/08/2019
CVE-2019-8271 UltraVNC
9.8 CRITICAL
Kaspersky Labs 03/08/2019
CVE-2019-8272 UltraVNC
9.8 CRITICAL
Kaspersky Labs 03/08/2019
CVE-2019-8273 UltraVNC
9.8 CRITICAL
Kaspersky Labs 03/08/2019
CVE-2019-8274 UltraVNC
9.8 CRITICAL
Kaspersky Labs 03/08/2019
CVE-2019-8275 UltraVNC
9.8 CRITICAL
Kaspersky Labs 03/08/2019
CVE-2019-8276 UltraVNC
7.5 HIGH
Kaspersky Labs 03/08/2019
CVE-2019-8277 UltraVNC
7.5 HIGH
Kaspersky Labs 03/08/2019
CVE-2019-8280 UltraVNC
9.8 CRITICAL
Kaspersky Labs 03/08/2019
CVE-2020-25708 libvncserver-0.9.12
7.5 HIGH
Red Hat, Inc. 11/27/2020
CVE-2020-29480 Xen through 4.14.x
2.3 LOW
MITRE 12/15/2020
CVE-2021-20590 VNC servers
7.5 HIGH
JPCERT/CC 04/22/2021
CVE-2021-41380 RealVNC
6.5 MEDIUM
MITRE 09/17/2021
CVE-2021-42785 TightVNC
9.8 CRITICAL
GovTech CSG 11/23/2021
CVE-2022-24422 VNC Console
9.6 CRITICAL
Dell 05/26/2022
CVE-2022-25226 ThinVNC
10.0 CRITICAL
Fluid Attacks 04/13/2022
CVE-2022-25227 Thinfinity VNC
8.8 HIGH
Fluid Attacks 05/20/2022
CVE-2022-27502 RealVNC
7.8 HIGH
MITRE 06/10/2022
CVE-2022-3165 QEMU VNC server
6.5 MEDIUM
Red Hat, Inc. 10/17/2022
CVE-2022-36436 VNCAuthProxy
9.8 CRITICAL
MITRE 09/14/2022
CVE-2022-41975 RealVNC
7.8 HIGH
MITRE 09/30/2022

Secure configuration on RealVNC

  1. First of all, passwords. It is a must, to choose unique and complex password. It is possible to use password managers and generators for creating and storing hashed authentication data, so there is no need to reuse passwords.
  2. Security page of RealVNC account provides Two-Factor Authentication (2FA), which is highly recommended.
  3. Sharing remote access with other people through RealVNC could be configured by these three steps:
    • General page – everyone is required to use 2FA.
    • People page – invite only trusted people into the team.
    • Computers page – discovery permissions restricted appropriately.
  4. Connection audit logs should be Reviewed on a regular basis.
  5. Every remote computer should have configure:
    • Connection approval should be turned on, if the owner is physically present.
    • Screen blanking should be turned on, if the remote computer is running on Windows.
    • VNC Server has something called DisconnectAction parameter, which should be used for locking or logging out the remote desktop, when last user disconnects.
    • Enable 2FA/MFA for VNC Server.
    • VNC Server should be installed in secure locations, for example C:/Program Files.
    • Update notification are recommended to be turned on.
    • Session permissions should be appropriately restricted.
    • Server BlacklistThreshold parameter is used for lowering unsuccessful authentication attempts.
    • Enterprise edition of RealVNC also supports 256-bit AES encryption. This is possible by setting the Server Encryption parameter to AlwaysMaximum.
    • By lowering the VNC Server IdleTimeout, early disconnections of idle sessions are configured.
    • Setting the VNC Server AllowIpListenRfb parameter to FALSE, should turn off direct connectivity. Existing direct connections are not terminated.

Conclusion

In conclusion, VNC refers to an easy-to-use tool, for connecting to a remote desktop device. It is clear, that there are more unrevealed vulnerabilities yet, but the secure configuration should be implemented anyway. Attackers will always find a way, how to knock on someone’s door and they will keep knocking patiently, with more sophisticated attacks, until they get inside. It is up to administrators, to be prepared and always update and patch their systems, including VNC software.

Sources