The exploitation of some detected vulnerabilities could lead to remote code execution
Woburn, MA – November 22, 2019 –Kaspersky has presented an analysis of open source Virtual Network Computing (VNC) which uncovered memory corruption vulnerabilities that existed in a substantial number of projects for a significant period of time. According to shodan.io, the exploitation of some detected vulnerabilities could lead to remote code execution affecting the users of VNC systems, which amounts to over 600,000 servers accessible from the global network.
VNC systems provide remote access to one device from another through the use of remote frame buffer (RFB) protocol. Due to its availability on multiple platforms and presence of multiple open sources, VNC systems have become some of the most popular desktop sharing tools to date. They are actively used in automated industrial facilities enabling remote control of systems, and approximately 32% of industrial network computers having some form of remote administration tools, including VNC.
The prevalence of such systems in general, and particularly ones that are vulnerable, is a significant issue for the industrial sector as potential damages can bring significant losses through disruption of complex production processes. As such, Kaspersky researchers studied some the most popular VNC systems including LibVNC, UltraVNC, TightVNC1.X and TurboVNC.
Although these VNC projects were previously analyzed by other researchers, not all vulnerabilities were uncovered and patched. As a result of Kaspersky’s analysis, 37 CVE records marking various vulnerabilities were created. Vulnerabilities were found not only on the client, but also on the server-side of the system. Some allowed remote code execution, which can then permit a malicious actor to make arbitrary changes on the attacked systems. Alternatively, many server-side vulnerabilities could only be exploited after password authentication, and some servers do not allow password-free access.
“I was surprised to see the simplicity of discovered vulnerabilities, especially considering their significant lifetime,” said Pavel Cheremushkin, Kaspersky ICS CERT vulnerability researcher “This means that attackers could have noticed and taken advantage of the vulnerabilities a long time ago. Moreover, some classes of vulnerabilities are present in many open-source projects and remain there even after refactoring of the codebase, which included vulnerable code. We at Kaspersky believe it is important to systematically detect such multitudes of projects with inherited vulnerabilities, which is why we conduct research of such kind.”
Information on all discovered vulnerabilities have been passed on to the developers. Almost all developers contacted patched the vulnerabilities, with the exception of TightVNC, who do not support this product. The users of the latter should consider alternative VNC system options.
A copy of the report, VNC Vulnerabilities Study, is available on ICS CERT.
About Kaspersky ICS CERT
Kaspersky Industrial Control Systems Cyber Emergency Response Team (Kaspersky ICS CERT) is a global project launched by Kaspersky in 2016 to coordinate the efforts of automation system vendors, industrial facility owners and operators, and IT security researchers to protect industrial enterprises from cyberattacks. Kaspersky ICS CERT devotes its efforts primarily to identifying potential and existing threats that target industrial automation systems and the Industrial Internet of Things. Since its inception, the team identified over 240 critical vulnerabilities in products by major global ICS vendors. Kaspersky ICS CERT is an active member and partner of leading international organizations that develop recommendations on protecting industrial enterprises from cyberthreats. Learn more at ics-cert.kaspersky.com
About Kaspersky
Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.
Media Contact:
Cassandra Faro
Cassandra.Faro@Kaspersky.com
781-503-1812
