What is VNC VNC Solutions and Related Security Concerns VNC is basically a remote desktop protocol. VNC stands for Virtual Network Computing. VNC is cross platform making it an ideal solution for IT environments which use multiple computing platforms. Matthew Cannizzaro Defining some terms VNC is a graphical desktop sharing system used to remotely control another computer. RFB Protocol -is a simple protocol for remote access to graphical user interfaces. It is applicable to all windowing systems and applications including Windows and Macintosh. Framebuffer -is a video output device that drives a video display from a memory buffer containing a complete frame of data. The information in the buffer typically consists of color values for every pixel on the screen. What VNC Solutions are available Many, too many to list them all Some of the more popular Remote Desktop/VNC Solutions are: RealVNC TightVNC UltraVNC GotoMyPc LogMeIn
Basic Idea LogMeIn Security White Papers Attack mitigation Authentication and authorization of users to the target resource Authentication of the target resource to users Data confidentiality Authentication and authorization of users within the target resource LogMeIn Security Authentication Authentication of the Target Resource to Users Accomplished by verifying the SSL certificate Authentication of Users to the Gateway Simple username/password combination Optional list of one-time passwords maybe generated Optional one-time use passwords maybe sent to a designated wireless device (cell phone). Authentication of the Gateway to the Host Accomplished by verifying the SSL certificate Authentication of the Host to the Gateway Verified by a unique identifier sent over SSL secured channels from the host only after the gateway has been authenticated. LogMeIn Security Data Encryption Client sends a list of preferred encryption protocols to the server. The server will normally select from the list the strongest algorithm. This process allows both the client and server to reject encryption algorithms that have been compromised even if only one side (usually the server) is fully updated. Data is encrypted using SSL/TLS (RC4 and 3DES, etc.) and includes AES in some more advances (paid services) versions. RC4 uses 128 bit keys, 3DES uses 168 bit keys. AES can use either 128 or 256 bit keys.
LogMeIn Security Intrusion Detection IP Address Filter Requests are first checked against a list of trusted or untrusted IP addresses. Connections may be denied at this level Denial of Service Filter If too many unauthenticated requests are sent within a predetermined span of time the filter will reject those connection attempts Authentication Filter If a user attempts and fails authentication excessively the filter will reject the connection. LogMeIn Security - Authentication Authentication and Authorization of Users to the Host Mandatory Windows Authentication Step Authentication and Authorization of Users within the Host LogMeIn uses the Windows access token obtained during user authentication to fool the OS to believe the user is sitting in front of the PC. Because LogMeIn uses the user s access token it must adhere to the Windows security model. This means that LogMeIn remotely supplies the same access or restrictions to the computer s resources, files, and network resources as if the user had logged on in person. LogMeIn Security -Communication LogMeInuses UDP as the foundation for its communication, though no real communication is done via the UDP layer as it is widely regarded as unsecure. LogMeIn builds it s own TCP-like transport layer on top of the UDP pathways it uses to secure the data. This allows for a TCP-like data stream further protected by an SSL layer to traverse firewalls with no additional configuration for the service required. Security Vulnerabilities Severity: MODERATE Description: LogMeIn'RACtrl.dll' ActiveX control is a remote access utility. LogMeIn'RACtrl.dll' ActiveX control is prone to multiple denial-of-service vulnerabilities. These issues affect the 'fgcolor', 'bgcolor', and 'fmcolor' attributes of the control identified by CLSID: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} Specifically, these issues arise from a NULL-pointer dereference when the application handles values supplied through the affected attributes. A remote attacker can exploit these issues by enticing an unsuspecting victim to visit a malicious HTML page. A successful attack allows the attacker to crash the application, denying further service to legitimate users. Affected Products: LogMeIn RACtrl.dll http://www.juniper.net/security/auto/vulnerabilities/vuln30923.html
Sun, 12 Mar 2006, IT Specialist Amy Babinchak posts to [ISAserver.org Discussion List] for help. In an incident deemed IT department gone wild, the former IT employees installed rootkits, remote access software, and hidden wireless routers on a majority of the company s computing and networking resources. The former IT employees used LogMeInfor remote access to the computer systems. Amy needed to block the former employee s access to the company s resources as fast a possible. Uninstalling the software from each and every computer was the ultimate goal, but would take time. And there was no 100% way to guarantee that she would uninstall it from every computer. As Amy explored her options she found one damning concept. In her own words, So what about blocking this "gets through any firewall app"? Several options were explored, including blocking the logmein.com domain, or isolating the domain in its own DNS zone with no DNS records for it. The participants on the discussion list including Amy fall short of actually reporting what the final solution was. Several times Amy asks about a nuke and pave Several times Amy asks about a nuke and pave solution. Indicating that her employer has given or is considering this as their final solution.
The perfect storm of untrustworthy employees with a high level of access and a little know-how coupled with the use of an apparently unblockable service allowed for a completely compromised IT environment. The former employees now had access to pretty much any system within the company, protected by a firewall or not. The subsequent infra-structure repair cost the company a substantial sum of money, which could have ranged into the hundreds of thousands of dollars or more. Worse yet if they ended up having to Nuke and Pave their entire data center, as that sort of operation cannot be carried out while remaining transparent to their clients. Resources and Related Material LogMeIn Security white paper https://secure.logmein.com/documentation/security/wp_lmi_security.pdf Juniper.net security report regarding LogMeIn http://www.juniper.net/security/auto/vulnerabilities/vuln30923.html Wikipedia http://en.wikipedia.org/wiki/vnc Freelists.org http://www.freelists.org/post/isalist/ot-blocking-logmein-with- Checkpoint,12