This article is more than 1 year old

RDP loves company: Kaspersky finds 37 security holes in VNC remote desktop software

BlueKeep isn't the only bug in town, plenty to go round

VNC remote desktop software has no shortage of potentially serious memory-corruption vulnerabilities, you'll no doubt be shocked to hear.

This is all according to [PDF] a team at Kaspersky Lab, which has uncovered and reported more than three dozen CVE-listed security holes, some allowing for remote code execution.

VNC, or Virtual Network Computing, is an open protocol used to remotely access and administer systems. Much like with the BlueKeep flaw in Microsoft's RDP service, miscreants can exploit these holes in VNC to potentially commandeer internet or network-facing computers.

Kaspersky says that, based on its best estimates from Shodan searches, about 600,000 public-facing machines offer VNC access as do around a third of industrial control devices.

"According to our estimates, most ICS vendors implement remote administration tools for their products based on VNC rather than any other system," said Kaspersky researcher Pavel Cheremushkin earlier today. "This made an analysis of VNC security a high-priority task for us."

The team focused its efforts on four specific targets: LibVNC, UltraVNC, TightVNC 1.x, and TurboVNC, four popular VNC libraries or tools whose open-source licenses allowed for code to be studied. RealVNC forbids reverse engineering, we're told.

X-ray scanners, CCTV cams, hefty machinery ... let's play: VNC Roulette!


The investigation kicked up a total of 37 CVE-listed memory corruption flaws: 10 in LibVNC, four in TightVNC, one in TurboVNC, and 22 in UltraVNC. All have now been patched, save for the bugs in TightVNC 1.x which were present in a no-longer supported version: you should be using version 2.x anyway.

The bulk of the vulnerabilities were found in the client-side of the software, which should come as good news for admins. This, Cheremushkin says, is in large part because of the way the VNC protocol works, putting most of the code on the client. There were some exploitable server-side bugs, though.

"Attackers would without doubt prefer remote code execution on the server. However, most vulnerabilities are found in the system’s client component," the researcher noted.

"In part, this is because the client component includes code designed to decode data sent by the server in all sorts of formats. It is while writing data decoding components that developers often make errors resulting in memory corruption vulnerabilities."

The Kaspersky report comes just as the the clamor over the BlueKeep flaw has begun to die down. That bug recently made headlines after reports of (extremely limited) active exploits surfaced.

Admins can protect themselves from RDP and VNC exploitation by updating their software (or migrating off, in the case of TightVNC) and using network filters to lock down access. ®

More about


Send us news

Other stories you might like