Kaspersky has presented analysis of open source Virtual Network Computing (VNC), which uncovered memory corruption vulnerabilities that have existed in a substantial number of projects for a very long time.
The exploitation of some detected vulnerabilities could lead to remote code execution affecting the users of VNC systems, which amount to over 600 000 servers accessible from the global network alone, according to shodan.io.
Considering the devices are only accessible within local networks, the real number of VNC installations is multi-fold.
VNC systems are used to provide remote access to one device from the other through the use of remote frame buffer (RFB) protocol.
Due to its availability on multiple platforms and presence of multiple open source versions, VNC systems have become some of the most popular desktop sharing tools to date. They are actively used in automated industrial facilities enabling remote control of systems, with approximately 32% of industrial network computers having some form of remote administration tools – including VNC.
The prevalence level of such systems in general, and particularly vulnerable ones, is an especially significant issue for the industrial sector, whereas potential damages can bring significant losses through disruption of complex production processes.
Kaspersky researchers studied some the most popular VNC systems: LibVNC, UltraVNC, TightVNC1.X and TurboVNC.
Although these VNC projects were analysed previously by other researchers, it turned out not all vulnerabilities were then uncovered and patched.
As a result, of the analysis by Kaspersky researchers, 37 CVE records marking various vulnerabilities were created.
Vulnerabilities were found not only on the client, but also on the server-side of the system. Some of them can allow remote code execution, which in turn could allow a malicious actor to make arbitrary changes on the attacked systems.
On a more positive note, many server-side vulnerabilities could only be exploited after password authentification and some servers do not allow to set up password-free access.
Pavel Cheremushkin, Kaspersky ICS CERT vulnerability researcher, says: “I was surprised to see the simplicity of discovered vulnerabilities, especially considering their significant lifetime. This means that attackers could have noticed and taken advantage of the vulnerabilities a long time ago.
“Moreover, some classes of vulnerabilities are present in many open-source projects and remain there even after refactoring of the codebase, which included vulnerable code. We at Kaspersky believe it is important to systematically detect such multitudes of projects with inherited vulnerabilities, which is why we conduct research of such kind.”
Information on all of the discovered vulnerabilities has been passed on to the developers. Almost all developers contacted patched the vulnerabilities, with the exception of TightVNC, who do not support this product. The users of the latter should consider alternative VNC system options.
To address risks related to vulnerable VNC tools, Kaspersky experts recommend developers and VNC users to:
* Audit the use of application and system remote administration tools used on the industrial network. Remove all remote administration tools that are not required by the industrial process.
* Conduct an audit and disable remote administration tools which came with ICS software (refer to the relevant software documentation for detailed instructions), provided that they are not required by the industrial process.
* Closely monitor and log events for each remote control session required by the industrial process; remote access should be disabled by default and enabled only upon request and only for limited periods of time.
* Regularly update operating systems, application software and security solutions, establish a procedure for fixing them.
* Avoid connection to unknown VNC servers and set up strong unique passwords on all servers.
* Use a dedicated cybersecurity product for industrial automation systems.