Regarding CVE-2019-15683
17 views
Skip to first unread message
DRC
Dec 2, 2019, 5:33:49 PM12/2/19
to turbovn...@googlegroups.com, turbovnc...@googlegroups.com, turbovn...@googlegroups.com
https://www.kaspersky.com/blog/vnc-vulnerabilities/31462
Kaspersky found one vulnerability in TurboVNC, which was fixed in 2.2.3.
There were no known exploits, nor could this vulnerability ever have
been encountered with any of the VNC viewers (TurboVNC and TigerVNC)
that currently support the RFB Fence message. Since the RFB Fence
message is only read and processed after a VNC viewer successfully
authenticates, a potential attacker would have first had to obtain
authentication credentials for the TurboVNC session, and if you have
authentication credentials for a TurboVNC session, you can usually
execute arbitrary code by simply interacting with the remote desktop
(because that is what remote desktop software is designed to do.) Thus,
since TurboVNC sessions usually run with non-root credentials, it is my
opinion that the worst-case exploit of this issue would have been
limited to the session owner or collaborators crashing the session.
Regardless, however, TurboVNC users are encouraged to upgrade their
servers to 2.2.3. Contact me if your organization still needs to use an
older branch of TurboVNC (2.1.x, 2.0.x, etc.) One of the services I
provide (for reasonable hourly rates) is back-porting newer bug fixes
and security fixes into older TurboVNC branches and spinning custom
builds based on those older branches. Refer to
https://turbovnc.org/About/ProfessionalServices.
It is notable that Kaspersky did not test TigerVNC. This specific
vulnerability does not appear to exist in the TigerVNC code base, but
others might.
DRC
Kaspersky found one vulnerability in TurboVNC, which was fixed in 2.2.3.
There were no known exploits, nor could this vulnerability ever have
been encountered with any of the VNC viewers (TurboVNC and TigerVNC)
that currently support the RFB Fence message. Since the RFB Fence
message is only read and processed after a VNC viewer successfully
authenticates, a potential attacker would have first had to obtain
authentication credentials for the TurboVNC session, and if you have
authentication credentials for a TurboVNC session, you can usually
execute arbitrary code by simply interacting with the remote desktop
(because that is what remote desktop software is designed to do.) Thus,
since TurboVNC sessions usually run with non-root credentials, it is my
opinion that the worst-case exploit of this issue would have been
limited to the session owner or collaborators crashing the session.
Regardless, however, TurboVNC users are encouraged to upgrade their
servers to 2.2.3. Contact me if your organization still needs to use an
older branch of TurboVNC (2.1.x, 2.0.x, etc.) One of the services I
provide (for reasonable hourly rates) is back-porting newer bug fixes
and security fixes into older TurboVNC branches and spinning custom
builds based on those older branches. Refer to
https://turbovnc.org/About/ProfessionalServices.
It is notable that Kaspersky did not test TigerVNC. This specific
vulnerability does not appear to exist in the TigerVNC code base, but
others might.
DRC
Reply all
Reply to author
Forward
0 new messages