CVE-2022-24750 UltraVNC is a free and open source remote pc access software

A cross site request forgery (CSRF) vulnerability has been discovered in the web interface of the VNC server. The web interface allows an attacker to perform actions that affect the logged in user. If an attacker is able to access the VNC server via an exploit, they can access the localhost interface on a vulnerable system. It is recommended that users upgrade their VNC server to 1.4.4 to confirm this vulnerability has been patched. It is also recommended to create a scheduled task on a low privilege account to launch VNC instead. There are no known workarounds if VNC needs to be run as a service.

A privilege escalation vulnerability has been discovered in the web interface of the VNC server. The web interface allows an attacker to perform actions that affect the logged in user. If an attacker is able to access the VNC server via an exploit, they can access the localhost interface on a vulnerable system. It is recommended that users upgrade their VNC server to 1.4.4 to confirm this vulnerability has been patched. It is also recommended to create a scheduled task on a low privilege account to launch VNC instead. There are no known workarounds if VNC needs to be run as a service.

An information disclosure vulnerability has been discovered in the web interface of the VNC server. The web interface allows an attacker to perform actions that affect the logged in user. If an attacker is able to access the VNC server via

CSRF vulnerability

VNC server via an exploit, they can access the localhost interface on a vulnerable system. It is recommended that users upgrade their VNC server to 1.4.4 to confirm this vulnerability has been patched. It is also recommended to create a scheduled task on a low privilege account to launch VNC instead. There are no known workarounds if VNC needs to be run as a service.

An information disclosure vulnerability has been discovered in the web interface of the VNC server. The web interface allows an attacker to perform actions that affect the logged in user. If an attacker is able to access the VNC server via an exploit, they can access the localhost interface on a vulnerable system. It is recommended that users upgrade their VNC server to 1.4.4 to confirm this vulnerability has been patched. It is also recommended to create a scheduled task on a low privilege account to launch VNC instead. There are no known workarounds if VNC needs to be run as a service.

Timeline

Published on: 03/10/2022 21:15:00 UTC
Last modified on: 03/18/2022 20:06:00 UTC

References

• https://github.com/ultravnc/UltraVNC/security/advisories/GHSA-3mvp-cp5x-vj5g
• https://github.com/bowtiejicode/UltraVNC-DSMPlugin-LPE
• https://github.com/ultravnc/UltraVNC/commit/36a31b37b98f70c1db0428f5ad83170d604fb352
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24750