New versions have been released for the four popular implementations of VNC after Kaspersky discovered thirty-seven vulnerabilities in the software
VNC (or Virtual Network Computing) is a system that allows one device to access the screen and control the keyboard and mouse of another device. Using the Remote Frame Buffer (RFB) protocol, VNC has been implemented on many operating systems including Linux, Mac, Windows and beyond. VNC is used for remote access for server administrators, desktop support engineers and it is also widely used in industrial automation systems. Kaspersky estimate that VNC is used in a third of all industrial control system computers and about 600,00 VNC servers are visible on the internet according to the Shodan search engine.
VNC is implemented as two separate components, a server element which runs on the computer to be controlled and a client which runs on the system doing the connecting. Because the protocol support cross platform connections, a Linux client can, for example, connect to a VNC server running on a Windows Server and so on.
Vulnerabilities were found in four popular open-source VNC implementations by Kaspersky:
LibVNC which is a library that is embedded in other software (such as VirtualBox which uses it to access to virtual machines) – 10 CVE reported
UltraVNC which is a Windows based implementation popular with industrial automation companies – 22 CVE reported
TightVNC is more popular with Unix and Linux users – 4 CVE reported
TurboVNC is a variation that has optimised compression of the video stream to improve performance – 1 CVE reported
Most of the vulnerabilities have been patched by the developers and so system administrators are advised to ensure their VNC installations are updated to the latest versions.