Missing: TightVNC's Product Demo & Case Studies
Promote your product offering to tech buyers.
Reach 1000s of buyers who use CB Insights to identify vendors, demo products, and make purchasing decisions.
Missing: TightVNC's Product & Differentiators
Don’t let your products get skipped. Buyers use our vendor rankings to shortlist companies and drive requests for proposals (RFPs).
Latest TightVNC News
Nov 23, 2019
By Eduard Kovacs on November 22, 2019 Kaspersky researchers have identified dozens of vulnerabilities in four popular open source virtual network computing (VNC) systems, but fortunately the majority of them have been patched. VNC systems use the remote frame buffer (RFB) protocol to allow users to remotely control a device. According to Kaspersky, VNC is often used in industrial environments and many manufacturers of industrial control systems (ICS) use VNC to add remote administration capabilities to their products. Kaspersky has analyzed four widely used open source VNC systems, including LibVNC, UltraVNC, TightVNC and TurboVNC. The cybersecurity firm says UltraVNC and TightVNC are often recommended by industrial automation system vendors for connecting to human-machine interfaces (HMIs). A total of 37 CVE identifiers have been assigned to the vulnerabilities found by Kaspersky in server and client software. Some of the flaws can be exploited for remote code execution, allowing the attacker to make changes to the targeted system. Over 20 of the security bugs were identified in UltraVNC. In some cases, the security firm noted, the flaws found as part of this research project were variations of previously identified weaknesses. The server-side vulnerabilities can be exploited by an attacker who is on the same network as the targeted VNC server. However, there are over 600,000 servers directly accessible from the internet, according to data from Shodan. The client-side weaknesses can be exploited when the user connects to a server controlled by the attacker using a vulnerable VNC client. Most of the 37 vulnerabilities have been patched. In the case of TightVNC, however, TightVNC 1.X has been discontinued and package maintainers have not released any fixes, despite being notified in January 2019. Kaspersky pointed out that while some of these vulnerabilities can pose a serious risk, particularly in the case of industrial systems, exploitation of the server-side bugs in many cases requires authentication, and the software may be designed not to allow authentication without a password. This means that setting a strong password on the server can prevent many attacks. On the client side, the best defense is to ensure that users don’t connect to untrusted VNC servers. “I was surprised to see the simplicity of discovered vulnerabilities, especially considering their significant lifetime,” said Pavel Cheremushkin, a researcher at Kaspersky ICS CERT. “This means that attackers could have noticed and taken advantage of the vulnerabilities a long time ago. Moreover, some classes of vulnerabilities are present in many open-source projects and remain there even after refactoring of the codebase, which included vulnerable code.” Technical details are available on Kaspersky’s ICS-CERT website.
TightVNC Frequently Asked Questions (FAQ)
Discover the right solution for your team
The CB Insights tech market intelligence platform analyzes millions of data points on vendors, products, partnerships, and patents to help your team find their next technology solution.