CVE-2020-26117
📋 TL;DR
This vulnerability in TigerVNC allows attackers to impersonate any VNC server after a client accepts a TLS certificate exception. When users bypass certificate warnings, the client incorrectly stores those certificates as trusted authorities, enabling man-in-the-middle attacks. This affects all TigerVNC viewers before version 1.11.0.
💻 Affected Systems
- TigerVNC
📦 What is this software?
Leap by Opensuse
Tigervnc by Tigervnc
⚠️ Risk & Real-World Impact
Worst Case
Attackers can intercept and manipulate all VNC sessions, potentially gaining access to sensitive systems and data through credential theft or remote control.
Likely Case
Targeted attacks against organizations using TigerVNC where attackers can position themselves as man-in-the-middle, leading to session hijacking and data interception.
If Mitigated
Limited to environments where certificate warnings are never bypassed or where network segmentation prevents man-in-the-middle positioning.
🎯 Exploit Status
Requires man-in-the-middle position and user interaction (accepting certificate exception). No public exploit code found in references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.11.0 and later
Vendor Advisory: http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00025.html
Restart Required: Yes
Instructions:
1. Download TigerVNC 1.11.0 or later from official sources. 2. Uninstall old version. 3. Install new version. 4. Restart any running VNC sessions.
🔧 Temporary Workarounds
Disable certificate exception acceptance
allConfigure TigerVNC to never accept certificate exceptions
# Configure in TigerVNC settings or via command line with appropriate flags
Use certificate pinning
allPre-configure trusted certificates to prevent exception prompts
# Pre-populate trusted certificates in TigerVNC configuration
🧯 If You Can't Patch
- Train users to never accept certificate exceptions when connecting to VNC servers
- Implement network segmentation and monitoring to detect man-in-the-middle attempts
🔍 How to Verify
Check if Vulnerable:
Check TigerVNC version with 'vncviewer --version' or equivalent. If version is below 1.11.0, system is vulnerable.Check Version:
vncviewer --versionVerify Fix Applied:
After patching, verify version is 1.11.0 or higher and test that certificate exceptions are handled correctly.📡 Detection & Monitoring
Log Indicators:
- Multiple certificate exception acceptances from same client
- Unusual certificate authorities in VNC logs
Network Indicators:
- Unexpected certificate changes during VNC sessions
- Man-in-the-middle detection alerts
SIEM Query:
source="tigervnc" AND (event="certificate_exception" OR event="certificate_warning")🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00025.html
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00024.html
- https://bugzilla.opensuse.org/show_bug.cgi?id=1176733
- https://github.com/TigerVNC/tigervnc/commit/20dea801e747318525a5859fe4f37c52b05310cb
- https://github.com/TigerVNC/tigervnc/commit/7399eab79a4365434d26494fa1628ce1eb91562b
- https://github.com/TigerVNC/tigervnc/commit/b30f10c681ec87720cff85d490f67098568a9cba
- https://github.com/TigerVNC/tigervnc/commit/f029745f63ac7d22fb91639b2cb5b3ab56134d6e
- https://github.com/TigerVNC/tigervnc/releases/tag/v1.11.0
- https://lists.debian.org/debian-lts-announce/2020/10/msg00007.html
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00025.html
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00024.html
- https://bugzilla.opensuse.org/show_bug.cgi?id=1176733
- https://github.com/TigerVNC/tigervnc/commit/20dea801e747318525a5859fe4f37c52b05310cb
- https://github.com/TigerVNC/tigervnc/commit/7399eab79a4365434d26494fa1628ce1eb91562b
- https://github.com/TigerVNC/tigervnc/commit/b30f10c681ec87720cff85d490f67098568a9cba
- https://github.com/TigerVNC/tigervnc/commit/f029745f63ac7d22fb91639b2cb5b3ab56134d6e
- https://github.com/TigerVNC/tigervnc/releases/tag/v1.11.0
- https://lists.debian.org/debian-lts-announce/2020/10/msg00007.html
