Kaspersky researchers have recognized a slew of flaws in open source virtual network computing (VNC) systems, but fortuitously the majority of them have been repaired.
Kaspersky says that VNC is often used in industrial setups and many manufacturers of industrial control systems (ICS) use VNC to add remote administration capabilities to their products.
Kaspersky has evaluated four extensively used open source VNC systems, including LibVNC, UltraVNC, TightVNC and TurboVNC. The company says UltraVNC and TightVNC are often suggested by industrial automation system vendors for connecting to human-machine interfaces (HMIs).
As many as 37 CVE identifiers have been allocated to the susceptibilities found by Kaspersky in server and client software. Some of the faults can be abused for remote code execution, letting the attacker make changes to the targeted system. Over 20 of the security bugs were recognized in UltraVNC.
The cybersecurity company said that in some cases, the vulnerabilities found as part of this research project were differences of formerly identified flaws.
The server-side flaws can be abused by a cybercriminal who is on the same network as the targeted VNC server. Nevertheless, there are over 600,000 servers directly reachable from the internet.
A majority of the 37 flaws have been repaired. In the case of TightVNC, nevertheless, TightVNC 1.X has been withdrawn and package maintainers have not issued any patches, in spite of being informed in January 2019.
“I was surprised to see the simplicity of discovered vulnerabilities, especially considering their significant lifetime,” said Pavel Cheremushkin, a researcher at Kaspersky ICS CERT. “This means that attackers could have noticed and taken advantage of the vulnerabilities a long time ago. Moreover, some classes of vulnerabilities are present in many open-source projects and remain there even after refactoring of the codebase, which included vulnerable code.”