Recently Kaspersky has discovered 37 vulnerabilities in popular VNC implementations. More details are available at the Kaspersky ICS CERT website. Since Veyon is based on the VNC protocol and uses several of the examined components it is important to know if and how Veyon is affected by these security issues.
First of all, if you regularly update your Veyon installations to the latest version, you are on the safe side. That means all users of Veyon 4.3.x may relax and do not have to take any actions at all (and may even skip reading the rest of this article). Veyon 4.3.1 also includes an additional security measurement to prevent out-of-memory DoS attacks. Secondly, Veyon acts as a proxy for all VNC connections, validating all VNC messages before they are sent to the internal platform-specific VNC server (UltraVNC, x11vnc, etc.). Furthermore, VNC messages are only forwarded after the connected counterpart (i.e. Veyon Master) has been authenticated successfully and passed access control (if configured). Since the internal VNC server only listens on localhost and is therefore not accessible via the network, many of the described security vulnerabilities cannot be exploited remotely. Last but not least: all official Windows and Linux packages are equipped with so called strong stack protection which makes it even harder to exploit possible stack buffer overflows in both 3rdparty components and Veyon itself.
What are the exact risks for users of older versions of Veyon? There are two VNC components integrated in Veyon: LibVNC and UltraVNC. While LibVNC is used on all platforms the UltraVNC server is used by the Windows version only. All LibVNC issues have been fixed in late 2018 which means if you’re running Veyon older than 4.1.6 you may be affected by:
The flaws can be exploited by attackers if they manage to exchange the Veyon Server on a client computer with a malicious VNC server. If your Veyon Master connects to trusted clients only (i.e. students do not have administrative privileges) everything is fine and you are unlikely to be exposed to any threats. Otherwise an attacker could theoretically be able to remote execute code on the teacher computer with privileges of the user running Veyon Master.
On Linux the internal x11vnc server uses the server component of LibVNC which is affected by CVE-2019-15681. If you’re using Veyon older than 4.2.5 on Linux it is recommended to update now.
The Windows version of Veyon makes use of the UltraVNC server which is affected by several vulnerabilities. Since Veyon only integrates the most essential core components of the UltraVNC server code, only 3 of the 22 CVEs are potentially relevant:
Thanks to the VNC proxy mechanism described above only authenticated users (teachers, support staff etc.) could exploit these flaws and potentially execute code or read stack memory. All issues are fixed in Veyon 4.2.0 and newer.
In summary, the following recommendations should be followed:
- Update all computers running any Veyon component (Master/Client) to Veyon 4.3.x
- Establish a mechanism for automatically deploying Veyon to all computers
- Keep on updating to the latest available version (which should be easy with proper deployment automation)