Many critical vulnerabilities found in Virtual Network Computing (VNC). The VNC software was found to have 37 different memory corruption vulnerabilities and many of these could result in remote code execution. The researchers at Kaspersky said around 600,000 web-accessible servers use the code.
Kaspersky researchers wrote in an analysis of the bugs for ICS CERT, released Friday.
“The prevalence of such systems in general, and particularly ones that are vulnerable, is a significant issue for the industrial sector as potential damages can bring significant losses through disruption of complex production processes,”
Kaspersky found many critical vulnerabilities in VNC client , but also on the server-side of the system which can be exploited after password authentication. Kaspersky said there are two main attack vectors:
“An attacker is on the same network with the VNC server and attacks it to gain the ability to execute code on the server with the server’s privileges; [or] a user connects to an attacker’s ‘server’ using a VNC client and the attacker exploits vulnerabilities in the client to attack the user and execute code on the user’s machine.”
A significant number of the vulnerabilities detailed in the research were found and reported last year; however, each of the VNC projects examined also had newly discovered bugs.
Some Critical Vulnerabilities Found:
A newly found critical (9.8 out of 10 on the CVSS v.3 severity rating scale) database stack buffer overflow vulnerability in the TurboVNC server code could result in RCE. The issue (CVE-2019-15683) exists because the stack frame is not protected with a stack canary. However, to exploit the bug, authorization on the server is required.
The critical integer-overflow vulnerability (CVE-2018-15361) exists in UltraVNC client-side code. This is also critical, with a CVSS rating of 9.8 out of 10, and can be exploited to cause a denial-of-service state. Researchers also “wouldn’t rule out that experts in exploiting the Windows userland heap could turn this vulnerability into an RCE if they wanted to.”
The CVE-2019-8262 critical vulnerability (with a CVSS score of 9.8 out of 10) was identified in the handler of data encoded using the UltraVNC encoding function that could cause information disclosure.
The TightVNC code version 1.3.10, there’s a critical global buffer overflow (CVE-2019-8287) in HandleCoRREBBP macro function, also with a CVSS rating of 9.8 out of 10. This can also potentially result RCE, Kaspersky found.
Researchers also found a high-severity flaw in LibVNC (CVE-2019-15681), with a CVSS rating of 7.7 out of 10. This involves a memory leak exploitable via network connectivity in the VNC server code, which allows an attacker to read stack memory and can be abused for information disclosure.
Kaspersky did the right thing and contacted the affected developers, and patches have been issued for supported products. However TightVNC has discontinued the development of the TightVNC 1.X line and considers it end of life and the bugs will not be patched.