In April 2026, a permission issue (CVE-2026-34352) was fixed in TigerVNC on SUSE/openSUSE. The flaw could let other local users see or modify your remote session.
But the lesson – and the fixes – apply forever.
What’s the real problem?
VNC servers run as a background service. If file permissions or session isolation are misconfigured, User B on the same machine can attach to User A’s VNC session. They don’t need your password – just local access and a few commands.
How to check if you are vulnerable (run these today)
# Check your TigerVNC version vncserver --version # See if the process runs with weak permissions ps aux | grep Xvnc # Look for world-readable session files find ~/.vnc -type f -perm -o=r -ls
rpm -q tigervnc # Check if any user can list your VNC sockets ls -la /tmp/.X11-unix/ # Test from a second local account (replace DISPLAY) xwd -root -display :1 -out /tmp/test.xwd
zypper info tigervnc # Verify the specific patch is installed zypper patch --changelog | grep -i 1303 # Manual permission check ls -la /usr/bin/Xvnc
If your version is older than tigervnc-1.10.1-150400.7.15.1 (SUSE) or 1.13.1 (Ubuntu/Rocky) – you are likely vulnerable.
Automation script to apply the fix (bash – works on all major distros)
Save as fix-tigervnc.sh and run as root:
#!/bin/bash # Evergreen TigerVNC permission fix set -e if [ -f /etc/os-release ]; then . /etc/os-release case "$ID" in ubuntu|debian) apt update && apt install -y tigervnc-standalone-server ;; rocky|rhel|centos) dnf update -y tigervnc-server ;; suse|opensuse-leap) zypper refresh && zypper update -y tigervnc ;; *) echo "Unsupported distro. Check manually." exit 1 ;; esac else echo "Cannot detect OS." exit 1 fi # Enforce strict permissions on all VNC user dirs for vnc_dir in /home/*/.vnc /root/.vnc; do if [ -d "$vnc_dir" ]; then chmod 700 "$vnc_dir" chmod 600 "$vnc_dir"/passwd 2>/dev/null echo "Fixed: $vnc_dir" fi done systemctl restart vncserver@* 2>/dev/null || pkill Xvnc echo "TigerVNC has been updated and permissions hardened."
Make it executable and run:
chmod +x fix-tigervnc.sh sudo ./fix-tigervnc.sh
Alternative mitigation (if you can’t update now)
1. iptables – block local users from hijacking the port
# Only allow your own UID to connect to VNC port 5901 iptables -A OUTPUT -m owner --uid-owner $(id -u) -d 127.0.0.1 -p tcp --dport 5901 -j ACCEPT iptables -A OUTPUT -d 127.0.0.1 -p tcp --dport 5901 -j DROP
2. AppArmor – restrict the VNC server itself
Create /etc/apparmor.d/local/usr.bin.Xvnc with:
/usr/bin/Xvnc {
# Allow only the starting user to connect
unix peer=(label=unconfined),
deny /tmp/.X11-unix/* w,
}
Then reload: apparmor_parser -r /etc/apparmor.d/usr.bin.Xvnc
3. SSH tunnel only (no open VNC port)
On your client:
ssh -L 5901:localhost:5901 user@server
Then connect your VNC viewer to localhost:5901. Local untrusted users can’t touch it.
Suggested reading:
The Practice of System and Network Administration ( 3rd Edition ) by Thomas A. Limoncelli
Why it fits the TigerVNC article:
This classic covers operational security – how to design remote access policies that survive beyond any single CVE. The TigerVNC permission flaw is a textbook example of what the authors call "local visibility risks." Specific value includes:
Chapter 18: "Remote Access Services" – VNC, SSH tunneling, and secure defaults
Chapter 28: "Security" – layering defenses for remote administration
Ready-to-use checklists for auditing service permissions
How it helps your audience: System administrators who read this book will never accidentally leave VNC sessions open to other local users again. It teaches the process of secure configuration, not just a one-time fix.
Affiliate disclosure: As an Amazon Associate, I earn from qualifying purchases. This helps me keep writing in-depth security guides – at no extra cost to you.)
Nenhum comentário:
Postar um comentário