Tutorial - VNC Detected

VNC Detected

Updated 3/19/03

Impact

VNC could allow a remote attacker to gain access to a computer. It can also be a sign that the computer has been compromised by the Deloder worm.

Background

Virtual Network Computing (VNC) is a software package which allows interactive access to a computer's desktop environment remotely from any platform type.

The Problem

VNC provides remote graphical interaction capabilities comparable to having physical access to the computer. This is a convenient but potentially dangerous feature, since it could allow a computer to be taken over remotely if it falls into the wrong hands. Furthermore, except for the password, VNC sessions are not encrypted, which could allow a network sniffer to gather sensitive information.

Vulnerabilities in some older versions of VNC could allow a local or remote attacker to gain privileges. Vulnerable versions include:

VNC vncserver wrapper prior to 3.3.6 (CAN 2002-1511)
WinVNC 3.3.3r9 and earlier (CVE 2000-1164 CAN 2001-0167 CAN 2001-0168 CAN 2002-0971)
SunPCi II 2.3 (CAN 2002-0994)
TightVNC 1.2.5 and earlier (CAN 2002-0971 CAN 2002-1336)
TridiaVNC 1.5.4 and earlier (CAN 2002-0971)

VNC is also one of the remote access tools installed by the Deloder worm. The unexpected presence of VNC on a computer could be a sign of infection.

Resolution

Disable VNC if it is not essential. If it is essential, ensure that the installed version contains no known vulnerabilities, and that a strong password has been set. Using an SSH tunnel is recommended when using VNC across the Internet.

Where can I read more about this?

More information on VNC security is available from AT&T and RealVNC. Information on using VNC with SSH is available from AT&T.

More information on the Deloder worm is available in CERT Advisory 2003-08.