CVE-2026-34352 lets other users spy on your TigerVNC session. Here's how to check, patch (Ubuntu/Rocky Linux/SUSE), apply iptables workarounds, and automate the fix with a bash script.
Remote access is the backbone of Linux system administration. But what happens if the tool you trust—TigerVNC—accidentally lets other users on the same server peek at your screen or inject fake keystrokes?
A recent update (CVE-2026-34352) fixed a nasty permission problem in TigerVNC. The flaw allowed a local, unprivileged user to either observe your VNC session or tamper with the data sent to your client.
While the patch was released in 2026, the lesson is permanent: VNC servers must have strict screen access permissions. This guide shows you how to check, fix, and harden your VNC setup on any major Linux distro, today and for years to come.
How to Check if You Are Vulnerable (Ubuntu, Rocky, SUSE)
You are likely vulnerable if:
You run TigerVNC version 1.10.1 or older on any distribution.
1. You run TigerVNC version 1.10.1 or older on any distribution.
2. You allow multiple, untrusted users to log into the same physical or virtual machine where the VNC server runs.
3. Your VNC server runs under x0vncserver or Xvnc without a properly locked MIT-SHM (shared memory) configuration.
The "Smell Test" (no command): Log into the machine via SSH as a low-privileged user. Run ps aux | grep Xvnc. If you see another user’s VNC process, try xwd -root -display :1 (where :1 is the target display). If you see their screen, you are vulnerable.
Automation Script to Apply the Fix (Bash)
This bash script detects your distro and applies the official patch. Save it as fix-tigervnc.sh.
#!/bin/bash # fix-tigervnc.sh - Automated fix for CVE-2026-34352 style permissions flaw # Works on Ubuntu 20.04+, Rocky 8/9, SUSE 15 SP4+ set -e echo "🔒 TigerVNC Permission Fix Script" echo "---------------------------------" if [ -f /etc/os-release ]; then . /etc/os-release OS=$ID VER=$VERSION_ID else echo "Cannot detect OS. Exiting." exit 1 fi case $OS in ubuntu|debian) echo "Detected Debian/Ubuntu. Updating TigerVNC..." sudo apt update sudo apt install --only-upgrade tigervnc-standalone-server tigervnc-xorg-extension -y ;; rocky|rhel|centos) echo "Detected RHEL/Rocky. Applying update..." sudo dnf update tigervnc-server -y ;; suse|opensuse-leap) echo "Detected SUSE/openSUSE. Applying official patch..." # The specific patch ID from the advisory sudo zypper patch --cve=CVE-2026-34352 # Alternative full update: # sudo zypper update tigervnc ;; *) echo "Unsupported OS. Manually update TigerVNC." exit 1 ;; esac echo "✅ Patch applied. You MUST restart your VNC server sessions now." echo "Run: vncserver -kill :* && vncserver"
Alternative Mitigation (If You Cannot Update Now)
Can't restart services or apply the patch today? Use iptables to restrict VNC access to only trusted IPs, or use AppArmor to confine the VNC process.
Option 1: iptables (Network Layer Block)
This stops anyone except your admin machine from connecting to VNC ports (5900+).
# Allow only your workstation (192.168.1.100) to connect to VNC display :1 (port 5901) sudo iptables -A INPUT -p tcp --dport 5901 -s 192.168.1.100 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 5901 -j DROP # Persist rules (RHEL/Rocky) sudo iptables-save > /etc/sysconfig/iptables # For Ubuntu: sudo netfilter-persistent save
Option 2: AppArmor (Restrict the VNC Process)
Create a custom AppArmor profile for TigerVNC to block it from reading other users’ shared memory.
sudo aa-genprof /usr/bin/Xvnc # Then, edit /etc/apparmor.d/usr.bin.Xvnc and add: # deny /dev/shm/org.mit.shm.* rw, # Save and run: sudo aa-enforce /usr/bin/Xvnc
The Professional’s Fix: Centralized Remote Access
Manually patching 50 servers is a nightmare. The real solution is moving away from raw VNC to a bastion host or remote access gateway that proxies VNC with modern authentication.
Suggested reding:
Mastering Linux Security and Hardening (3rd Edition) by Donald A. Tevault
Why this fits your TigerVNC article: Chapter 10 covers Mandatory Access Control with SELinux and AppArmor – exactly the mitigation technique you mentioned in your post. The book also dedicates sections to SSH hardening, firewall configuration (iptables/nftables), and user account security. This is the most practical, code-heavy guide on the market, written by a professional Linux trainer who holds LPI Level 3-Security certification .
Best for: System administrators who want to lock down remote access and prevent exactly the kind of screen-snooping vulnerability CVE-2026-34352 exposed.
Affiliate disclosure: As an Amazon Associate, I earn from qualifying purchases. This helps me keep writing in-depth security guides – at no extra cost to you.)
Nenhum comentário:
Postar um comentário