VNC Security Concern?
29 views
Skip to first unread message
techmon
Sep 20, 2021, 10:01:57 AM9/20/21
to TigerVNC User Discussion/Support
Good day,
I realize these articles are from 2019....
Are all of these vulnerabilities fixed since we're now in 2021? or is there still some concerns?
Thanks for your input!
Pierre Ossman
Sep 20, 2021, 10:22:01 AM9/20/21
to techmon, TigerVNC User Discussion/Support
On 20/09/2021 16:01, techmon wrote:
> Good day,
>
> I realize these articles are from 2019....
> Are *all* of these vulnerabilities fixed since we're now in 2021? or is
> Good day,
>
> I realize these articles are from 2019....
> there still some concerns?
>
> https://www.cybersecurity-review.com/news-november-2019/critical-flaws-in-vnc-threaten-industrial-environments/
>
> https://usa.kaspersky.com/blog/vnc-vulnerabilities/19962/
>
> Thanks for your input!
>
Those links talk about other VNC implementations, not TigerVNC. However
>
> https://www.cybersecurity-review.com/news-november-2019/critical-flaws-in-vnc-threaten-industrial-environments/
>
> https://usa.kaspersky.com/blog/vnc-vulnerabilities/19962/
>
> Thanks for your input!
>
the good people at Kaspersky found some other issues in TigerVNC that
were promptly fixed in the TigerVNC 1.10.1 release. So as long as you
are running an up to date version you should be fine.
Regards
--
Pierre Ossman Software Development
Cendio AB https://cendio.com
Teknikringen 8 https://twitter.com/ThinLinc
583 30 Linköping https://facebook.com/ThinLinc
Phone: +46-13-214600
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
DRC
Sep 20, 2021, 11:20:36 AM9/20/21
to tigervn...@googlegroups.com
The issue in TurboVNC was fixed in 2.2.3, but it never existed in
TigerVNC. The issue allowed a specially-crafted VNC viewer to send a
malformed RFB fence message and overflow the server's stack, but the
viewer had to successfully authenticate first. Thus, the worst case was
that the issue might have allowed a clever hacker to remotely execute
code after successful authentication, but all VNC servers allow remote
code execution after successful authentication. That is quite literally
their purpose. :)
On 9/20/21 9:01 AM, techmon wrote:
> Good day,
>
> I realize these articles are from 2019....
> Are *all* of these vulnerabilities fixed since we're now in 2021? or is
>
> https://usa.kaspersky.com/blog/vnc-vulnerabilities/19962/
TigerVNC. The issue allowed a specially-crafted VNC viewer to send a
malformed RFB fence message and overflow the server's stack, but the
viewer had to successfully authenticate first. Thus, the worst case was
that the issue might have allowed a clever hacker to remotely execute
code after successful authentication, but all VNC servers allow remote
code execution after successful authentication. That is quite literally
their purpose. :)
On 9/20/21 9:01 AM, techmon wrote:
> Good day,
>
> I realize these articles are from 2019....
> there still some concerns?
>
> https://www.cybersecurity-review.com/news-november-2019/critical-flaws-in-vnc-threaten-industrial-environments/
> <https://www.cybersecurity-review.com/news-november-2019/critical-flaws-in-vnc-threaten-industrial-environments/>
>
> https://www.cybersecurity-review.com/news-november-2019/critical-flaws-in-vnc-threaten-industrial-environments/
>
> https://usa.kaspersky.com/blog/vnc-vulnerabilities/19962/
Reply all
Reply to author
Forward
0 new messages