VNC Detection

by Michael Willison
July 29, 2014

By analyzing risks on the network, Tenable SecurityCenter Continuous View (SC CV) with Nessus and PVS provides detailed dashboard information about VNC vulnerabilities, exploits, events, and related traffic flows.

Many remote desktop programs are based on Virtual Network Connection (VNC) technology and are supported by a variety of operating systems. VNC uses the Remote Frame Buffer protocol (RFB) to remotely control another computer over the network. The ability to remotely control systems increases productivity and supportability when systems and networks are geographically diverse.  A common use for VNC is for a support team to access a user`s desktop while the user is there to observe the tasks, or for applying patches. RFB does not use encryption natively, and therefore VNC is not an inherently secure technology. VNC’s lack of encryption can allow attackers to sniff the network and capture passwords, keystrokes, Social Security numbers, and credit card numbers.  Additionally, attackers often use VNC as a post-exploitation method for maintaining access to the victims’ computers. For this reason, Microsoft developed its own technology called Remote Desktop Protocol (RDP).

Tenable’s VNC Detection dashboard has six components that report on VNC vulnerabilities, exploits, and VNC network traffic flow. By understanding the vulnerabilities and their severities, SC CV users can better assess risk prioritize mitigations to discovered vulnerabilities.  Furthermore, knowing which vulnerabilities are exploitable helps security professionals to resolve threats before attacks occur. Understanding the normal network traffic flow and the direction of VNC communications allows for anomaly analysis and increases the likelihood breach detection.  This dashboard provides all these tools and trending to help assist in knowing which VNC vulnerabilities exist, as well as their associated risks.

The dashboard and its components are available in the SecurityCenter Feed, an app store of dashboards, reports, and assets. The dashboard can be easily located in the SecurityCenter Feed by selecting category Detection, and then selecting tags vnc, inbound, outbound, and internal.

The dashboard requirements are:

  • SecurityCenter 4.8.1
  • Nessus 5.2.7
  • PVS 4.0.2

Listed below are the included components:

  • VNC Detection - Vulnerabilities by IP Address: By understanding the vulnerabilities and their severities, SC CV users can better assess risk and prioritize mitigations to discovered vulnerabilities. This component provides a table of the top 20 vulnerable VNC systems. The table is sorted by vulnerability weight score. The columns displayed are IP Address, OS, Score, and vulnerability severity (info, low, medium, high, and critical). The severity columns will have a total vulnerability count in each severity cell.
  • VNC Detection - Directional Events: Understanding the normal network traffic flow and the direction of VNC communications allows for anomaly analysis and increases the likelihood of breach detection.  This component provides a table of VNC network traffic directional flow by eight event types. The event types used are: Intrusion, Login, Logout, Failed Login, Connection, Continuous, Networks, and Errors. SecurityCenter Continuous View defines network traffic flow as internal, inbound and outbound. The Total Event Types column displays a count of all of the respective events, while the remaining three columns show the percentage of events according to directional flow.
  • VNC Detection - Normalized Events: Analyzing both the normalized event and the trending of these events will help SC CV users understand VNC activity on the network and detect anomalies. This component displays normalized events from SC CV over the past seven days. The fields displayed are: normalized events names, total events, and a trend graph for events collected over the past 7 days.
  • VNC Detection - Vulnerability with Exploits by Severities: By detecting exploitable VNC vulnerabilities, SC CV can mitigate exploits before a compromise can occur.  This component displays the top exploitable VNC vulnerabilities for both servers and clients. The table columns are: vulnerability name, family, severity, and total vulnerabilities, which are sorted by severity level.
  • VNC Detection -Total Number of  Events per Day over 7 Days: This event-by-day component is useful for understanding the total amount of VNC events being seen each day over a period 7 day period of time. By viewing the total amount of VNC event each day, an IT team can quickly recognize when anomalies are happening in the network. This component displays the total number of VNC events per day over a 7 day period.  Any substantial increase or decrease in VNC events indicates a change in the normal VNC activity.
  • VNC Detection - VNC Network Traffic Directional Event Trending: Monitoring for inbound and outbound VNC traffic will vary based on network configuration.  Network administrators should review network traffic trends to determine if traffic is following normal usage patterns. This component displays a VNC network traffic directional event trending flow over 25 days. The traffic flow is represented using the directional filters of internal, inbound, and outbound.