TigerVNC flaw: strangers watching your screen. Here's the permanent fix (not just a patch). Check commands for 3 distros, bash script, iptables. Plus the Amazon book every Linux admin needs.
In April 2026, a permission flaw (CVE-2026-34352) was found in TigerVNC. Below is how to permanently protect any Linux machine running VNC.
If you run VNC (Virtual Network Computing) on any Linux server or desktop – from a single Ubuntu workstation to 100 Rocky Linux servers – you have one big risk: someone else seeing or controlling your screen without permission.
The recent CVE-2026-34352 showed exactly that: bad permissions let other local users observe your VNC session or inject fake keystrokes. The CVSS score varies (7.0 to 9.8) but the real danger is simple – anyone with a local account can hijack your view.
Below is a distro-agnostic guide to check, fix, and harden TigerVNC permanently.
1. How to check if you are vulnerable Ubuntu, Rocky Linux, SUSE
# Check TigerVNC version vncserver --version # Look for weak socket permissions ls -la /tmp/.X11-unix/ | grep vnc find /tmp -user $(whoami) -name "*vnc*" -perm /o+r 2>/dev/null
rpm -q tigervnc ls -la /run/user/*/vnc* 2>/dev/null ps aux | grep Xvnc
zypper info tigervnc # Specifically vulnerable versions: 1.12.0-150500.4.3.1 and earlier test -f /usr/bin/Xvnc && strings /usr/bin/Xvnc | grep -i "permission"
# This should FAIL if permissions are correct sudo -u nobody vncviewer localhost:1
2. Automation script to apply the fix (bash – works on Ubuntu, Rocky, SUSE)
#!/bin/bash # TigerVNC Permission Fix – CVE-2026-34352 # Works on: Ubuntu 20.04+, Rocky 8/9, SUSE 15 SP5+ set -e echo "[*] Detecting OS..." if [ -f /etc/os-release ]; then . /etc/os-release OS=$ID VER=$VERSION_ID fi fix_and_update() { echo "[*] Stopping all user VNC sessions..." pkill -u $(whoami) Xvnc || true pkill Xvnc || true case $OS in ubuntu|debian) apt update && apt install -y tigervnc-standalone-server ;; rocky|rhel|centos) dnf update -y tigervnc-server ;; suse|opensuse-leap) zypper --non-interactive update tigervnc # Specific SUSE patch command: zypper --non-interactive patch --cve=CVE-2026-34352 || true ;; *) echo "Unsupported OS. Manual update required." exit 1 ;; esac } # Apply OS update fix_and_update echo "[*] Removing leftover insecure sockets..." find /tmp /run -name "*vnc*" -type s -delete 2>/dev/null echo "[*] Setting strict permissions on VNC related binaries..." chmod 755 /usr/bin/Xvnc chmod 755 /usr/bin/vncserver echo "[*] Restarting VNC service if exists..." systemctl restart vncserver@* 2>/dev/null || true echo "[+] Done. Start a new VNC session and test with 'sudo -u nobody vncviewer localhost:1'"
chmod +x fix-tigervnc-perms.sh sudo ./fix-tigervnc-perms.sh
# Block external VNC access completely sudo iptables -A INPUT -p tcp --dport 5900:5910 -j DROP # Allow only from localhost (if you use SSH tunnel) sudo iptables -A INPUT -p tcp --dport 5900:5910 -s 127.0.0.1 -j ACCEPT
/usr/bin/Xvnc {
# Deny reading/writing other users' files
deny /home/*/.vnc/** w,
deny /tmp/.X11-unix/* w,
}
# On client machine: ssh -L 5901:localhost:5901 user@your-server # Then connect vncviewer to localhost:5901
Nenhum comentário:
Postar um comentário