The Hacker News reports that dozens of new VNC client and server vulnerabilities have been found in the open source versions of the tools used by IT departments all over the world. If you are like me and think “VNC, who uses that any more?” then you should go check out a YouTube video by Tobias Mädel where he connects to open VNC servers all over the internet. Sure, the video is from 2015, but when you think about how quickly industrial plant management software and device firmware is updated you can bet money that there are still plenty of open VNC servers still running and accessible.
The moral of the story? Don’t expose critical systems and services (like RDP and VNC) over the internet unless it is absolutely essential. If it is essential, and you can’t put them behind a VPN, then you had better use a very strong and complex password to secure the access. Even with a VPN you should do that. Lastly, you need to makes sure you and any vendor you are purchasing software and devices from have a strong policy of pushing out updates anytime a vulnerability is found. You can’t afford to wait five years for an update when your chemical plan control system is left completely exposed on the internet through remote access software flaws.