Info about TigerVNC vulnerability

22 Feb 2017

The review of Scout Enterprise and eLux RP due to the security vulnerability of TigerVNC 1.7.0 and earlier versions, announced under DFN-CERT-2017-0157, has not resulted in any complaints. 

To exploit the vulnerability, a remote attacker must use a malicious VNC server to manipulate the VNC viewer. However, for the VNC viewer used within the Scout Enterprise console to mirror eLux clients, only the VNC server installed on the eLux clients can be accessed. The VNC server on the eLux clients can be sufficiently secured by enabling appropriate security settings such as disabling USB boot in the BIOS , blocking the use of USB mass storage devices, using signature check for firmware update and restricting to mirroring from Scout Enterprise console only. The VNC viewer of the Scout Enterprise console cannot contact any other VNC servers on non-eLux clients in the network