Originally a reply to a question on the firewalls list, I thought it wise to repost my message to the Bugtraq list to alert a wider audience - especially since many of the replies were "I've used it across the Internet for ages with no problems" ------- "How secure is VNC?" or "Is it OK to run VNC over the Internet?" VNC is an excellent piece of free software allowing cross-platform remote administration, even via java-enabled web browsers. See http://www.uk.research.att.com/vnc However, it was not written to run "out-of-the-box" safely across the Internet or other untrusted networks. According to the authors of VNC (FAQ section): Q51 How secure is VNC? Access to your VNC desktop generally allows access to your whole environment, so security is obviously important. VNC uses a challenge-response password scheme to make the initial connection: the server sends a random series of bytes, which are encrypted using the password typed in, and then returned to the server, which checks them against the 'right' answer. After that the data is unencrypted and could, in theory, be watched by other malicious users, though it's a bit harder to snoop a VNC session than, say, a telnet, rlogin, or X session. Since VNC runs over a simple single TCP/IP socket, it is easy to add support for SSL or some other encryption scheme if this is important to you, or to tunnel it through something like SSH. They basically say "it is not secure". What does this mean in practice? - Session hijacking, once the session is established it might be hijacked using ARP spoofing, ICMP Redirects, BGP Injection, RIP spoofing or any other redirection method. All standard TCP sequence prediction problems apply. - Man-in-the-middle attacks: Evil Attacker(tm) fools the client to connect to him/her instead of the actual server (via DNS spoofing or any of the spoofs above, however, we do not need to do TCP sequence prediction at all), connects to the server, gets the random challenge, sends the challenge to the client, gets the response from the client and passes it to the server. Voila! Straight authenticated connection from attacker to server. - Actually, both above attacks are a lot easier to do if all involved parties are on the same LAN, so your network security depends on the definition of the word "trusted" :) As you can see, this is Not Secure(tm). Neither was that intended by the authors: Q52 Are you going to make it more secure? We do hope eventually to add better security to VNC, but there's also a good argument for not doing so. If security is a concern, it can be better to use a single system such as SSH or FreeS/WAN to encrypt all your traffic, rather than relying on the individual packages to do the right thing. Then, if you decide in a year's time that one system is too easily crackable, you can replace it yourself and all of your communications will benefit. It may also be easier to fit in with corporate security systems this way. Executive summary: Would you allow vanilla telnet to your protected machines? Probably not. If you need to run VNC over an untrusted network: tunnel it through something More Secure(tm) such as SSH or IPSec. A-a-a! Did I hear someone say "Okay, I'll use PPTP"? Read Bruce Schneier and Mudge's analysis of PPTP: http://www.counterpane.com/pptp.html PPTPv2: http://www.counterpane.com/pptpv2-paper.html Go with IPSec if you want to use a VPN mechanism; it's an established standard. -----Original Message----- From: kbashirat_private [mailto:kbashirat_private] Sent: 11 October 1999 13:39 To: Firewallsat_private Subject: VIRTUAL NETWORK COMPUTER this is a little off topic but still it relates to security and firewall in a sense. Has anybody used this without problem and compromising security. http://www.uk.research.att.com/vnc -- Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50 Mobile: +46-(0)70-248 00 33 WWW: http://www.enternet.se E-mail: mikael.olssonat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:07:16 PDT