1. Home
  2. System Vulnerabilities
  3. How to remediate – VNC Server ‘password’ Password
Searching...

How to remediate – VNC Server ‘password’ Password

Contents

1. Introduction

A VNC server running on a remote host is secured with the weak password ‘password’. This means an attacker could gain unauthorised access to the system. Businesses are at risk of data breaches, service disruption and malware installation if this vulnerability exists on systems handling sensitive information or critical functions. Affected systems typically include servers, workstations, and virtual machines where remote administration via VNC is enabled. A successful attack could compromise confidentiality, integrity, and availability.

2. Technical Explanation

The VNC server allows access using a default or easily guessed password. Nessus successfully logged in with the ‘password’ credential, demonstrating the weakness. An attacker would typically scan for open VNC ports (usually 5900 and 5901) then attempt to authenticate using common credentials like ‘password’. If successful, they gain full control of the affected system as if physically present.

  • Root cause: The VNC server is configured with a weak or default password.
  • Exploit mechanism: An attacker uses brute-force or credential stuffing to login via VNC authentication. For example, an attacker could use a script to attempt logins using a list of common passwords.
  • Scope: All systems running any version of VNC server with the default ‘password’ or other weak credentials are affected.

3. Detection and Assessment

Confirming vulnerability involves checking if the VNC service is accessible and whether it accepts the ‘password’ credential. A quick check can be done via a simple connection attempt, while thorough assessment requires scanning tools.

  • Quick checks: Attempt to connect to port 5900 or 5901 using a VNC client with the password ‘password’.
  • Scanning: Nessus plugin ID 84637 can identify this vulnerability. Other scanners may have similar checks.
  • Logs and evidence: Check VNC server logs for successful logins from unexpected sources, or failed login attempts followed by a successful login using ‘password’. Log locations vary depending on the VNC server implementation (e.g., /var/log/vnc/).
vncviewer

4. Solution / Remediation Steps

Fixing this issue requires changing the weak password to a strong, unique one. Follow these steps carefully to avoid locking yourself out of remote access.

4.1 Preparation

  • Ensure you have an alternative method of accessing the system in case the password change causes issues. A roll back plan involves restoring the original configuration file.
  • A standard change window may be required, and approval from a senior administrator is recommended.

4.2 Implementation

  1. Step 1: Stop the VNC service. For example, on systemd systems use `sudo systemctl stop vncserver@:`.
  2. Step 2: Edit the VNC server configuration file (e.g., ~/.vnc/xstartup or /etc/vnc/config). Locate the password setting and change it to a strong, unique value.
  3. Step 3: Restart the VNC service using `sudo systemctl start vncserver@:`.

4.3 Config or Code Example

Before

# /etc/vnc/config
localhost=yes
password=password

After

# /etc/vnc/config
localhost=yes
password=

4.4 Security Practices Relevant to This Vulnerability

Practices that directly address this vulnerability include strong password policies and least privilege access control. Regularly reviewing user accounts and permissions can also help prevent unauthorised access.

  • Practice 1: Implement a strong password policy requiring complex passwords and regular changes to reduce the risk of brute-force attacks.
  • Practice 2: Apply the principle of least privilege, granting users only the minimum necessary access rights to limit potential damage from compromised accounts.

4.5 Automation (Optional)

If using configuration management tools like Ansible, you can automate password changes across multiple VNC servers. Be cautious when automating sensitive credentials and ensure proper secrets management.

# Example Ansible playbook snippet
- name: Change VNC Password
  lineinfile:
    path: /etc/vnc/config
    regexp: '^password='
    line: 'password='

5. Verification / Validation

Confirm the fix by attempting to connect with the old password and verifying it fails, then connecting successfully with the new password. A service smoke test confirms remote access functionality remains intact.

  • Post-fix check: Attempt to connect using `vncviewer ` with the original password ‘password’. The connection should fail.
  • Re-test: Re-run Nessus plugin ID 84637; it should no longer report the vulnerability.
  • Smoke test: Connect to the VNC server using the new password and verify you can access the desktop as expected.
  • Monitoring: Monitor VNC server logs for failed login attempts with incorrect passwords, which could indicate ongoing brute-force attacks.
vncviewer  # Connection should fail

6. Preventive Measures and Monitoring

Update security baselines to enforce strong password requirements for VNC servers. Implement regular patch management processes to address known vulnerabilities in the VNC software itself. For example, a CIS control requiring secure remote access configurations can prevent this issue.

  • Baselines: Update your security baseline or policy to require complex passwords and disable default credentials on all systems.
  • Pipelines: Include checks in CI/CD pipelines for insecure VNC configurations during deployment.
  • Asset and patch process: Implement a regular patch cycle (e.g., monthly) to apply security updates to the VNC server software.

7. Risks, Side Effects, and Roll Back

  • Risk or side effect 1: Incorrect password configuration may prevent legitimate users from accessing the system. Mitigation: Have a backup access method available.
  • Risk or side effect 2: Service interruption during restart if configuration is invalid. Mitigation: Test changes in a non-production environment first.
  • Roll back: 1) Stop the VNC service. 2) Restore the original VNC server configuration file from backup. 3) Restart the VNC service.

8. References and Resources

  • Vendor advisory or bulletin: Check your specific VNC server vendor’s website for security advisories.
  • NVD or CVE entry: https://nvd.nist.gov/vuln/detail/CVE-2017-5638
  • Product or platform documentation relevant to the fix: Refer to your VNC server’s official documentation for configuration instructions.
Updated on October 26, 2025

Was this article helpful?

Yes No

Related Articles