Researchers with Kaspersky have uncovered a total of 37 security vulnerabilities, including several critical flaws, in Virtual Network Computing, a graphical desktop-sharing system that is frequently used in industrial environments. The issues impact up to 600,000 Internet-facing servers.
Kaspersky warns that the use of VNC and other potentially vulnerable solutions designed for remotely controlling systems represents a serious security risk to the industrial sector “as potential damages can bring significant losses through disruption of complex production processes.” In a report for ICS CERT, Kaspersky explained that the issues, which include remote code execution (RCE) flaws, are all related to one of two attack vectors: “An attacker is on the same network with the VNC server and attacks it to gain the ability to execute code on the server with the server’s privileges; [or] a user connects to an attacker’s ‘server’ using a VNC client and the attacker exploits vulnerabilities in the client to attack the user and execute code on the user’s machine.”
Read more: Critical Flaws in VNC Threaten Industrial Environments
