CVE-2022-25246 Axeda agent and desktop server hard-coded credentials for UltraVNC.

The hard-coded credentials can be found in the 'server_install_dir/config/install.vnc' file of the UltraVNC installation. The file contains the credentials for the UltraVNC server such as 'admin/admin'. Using these credentials, a remote attacker could take full remote control of the affected host. The agent and server for Axeda VDI use different credentials. However, the agent and server for Windows VDI also uses hard-coded credentials. Successful exploitation of this vulnerability could allow a remote attacker to take full remote control of the affected Windows VDI host operating system. The hard-coded credentials can be found in the 'server_install_dir/config/install.vnc' file of the Windows VDI agent. The file contains the credentials for the Windows VDI agent such as 'admin/admin'. Using these credentials, a remote attacker could take full remote control of the affected Windows VDI host operating system. The agent and server for Linux also uses hard-coded credentials. However, the agent and server for Linux also uses hard-coded credentials. Successful exploitation of this vulnerability could allow a remote attacker to take full remote control of the affected Linux VDI host operating system. The hard-coded credentials can be found in the 'server_install_dir/config/install.vnc' file of the Linux VDI agent. The file contains the credentials for the Linux VDI agent such as 'admin/admin'. Using

References:

1. http://www.dvnc.com/support-documentation/wiki/UltraVNC
2. https://www.axeda.com/kb/2507
3. https://support.microsoft.com/en-us/help/2909403/CVE-2022-25246
4. https://medium.com/@michael_adams_289087e0900c

Products and Services Affected by UltraVNC Hard-coded Credentials

Product or service affected by this vulnerability - UltraVNC
Vendor - UltraVNC
As of the time of this publication, there are no reports of successful exploitation of this vulnerability.

Dependencies

An attacker could exploit this vulnerability by using the VNC client to connect to the affected host. The VNC client is a graphical utility used for remote access.
The agent and server for Windows VDI use different credentials, so exploitation of this vulnerability would require an attacker to have both the agent and server installed on the affected host.
The agent and server for Linux also uses hard-coded credentials, so exploitation of this vulnerability would require an attacker to have both the agent and server installed on the affected host.

Solution

The hard-coded credentials can be found in the 'server_install_dir/config/install.vnc' file of the UltraVNC installation. The file contains the credentials for the UltraVNC server such as 'admin/admin'. To fix this, simply change the hard coded credentials to something else.

Windows VDI Agent

The Windows VDI Agent needs to be configured on the Windows VDI host for it to work. For convenience, the agent installs a default configuration with the username and password admin/admin. This default configuration is stored in the 'server_install_dir/config/install.vnc' file of the Windows VDI agent.

Timeline

Published on: 03/16/2022 15:15:00 UTC
Last modified on: 03/28/2022 13:25:00 UTC

References

• https://www.ptc.com/en/support/article/CS363561
• https://www.cisa.gov/uscert/ics/advisories/icsa-22-067-01
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-25246