https://www.kaspersky.com/blog/vnc-vulnerabilities/31462
Kaspersky found one vulnerability in TurboVNC, which was fixed in 2.2.3. There were no known exploits, nor could this vulnerability ever have been encountered with any of the VNC viewers (TurboVNC and TigerVNC) that currently support the RFB Fence message. Since the RFB Fence message is only read and processed after a VNC viewer successfully authenticates, a potential attacker would have first had to obtain authentication credentials for the TurboVNC session, and if you have authentication credentials for a TurboVNC session, you can usually execute arbitrary code by simply interacting with the remote desktop (because that is what remote desktop software is designed to do.) Thus, since TurboVNC sessions usually run with non-root credentials, it is my opinion that the worst-case exploit of this issue would have been limited to the session owner or collaborators crashing the session. Regardless, however, TurboVNC users are encouraged to upgrade their servers to 2.2.3. Contact me if your organization still needs to use an older branch of TurboVNC (2.1.x, 2.0.x, etc.) One of the services I provide (for reasonable hourly rates) is back-porting newer bug fixes and security fixes into older TurboVNC branches and spinning custom builds based on those older branches. Refer to https://turbovnc.org/About/ProfessionalServices. It is notable that Kaspersky did not test TigerVNC. This specific vulnerability does not appear to exist in the TigerVNC code base, but others might. DRC -- You received this message because you are subscribed to the Google Groups "TurboVNC User Discussion/Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/turbovnc-users/6b0920aa-7efa-1d32-cc1b-9b5812f59b86%40virtualgl.org.
