How the CVE Works
The vulnerability in jupyter-remote-desktop-proxy arises due to improper access control in TigerVNC when used as the backend for remote desktop sessions. Although the system was designed to restrict connections to UNIX sockets (local-only access), TigerVNC inadvertently exposed the VNC server over the network. This misconfiguration allows unauthorized remote attackers to intercept or hijack desktop sessions, bypassing intended security measures. The issue stems from TigerVNC failing to enforce socket-based isolation, leaving TCP ports open for external connections.
DailyCVE Form:
Platform: Jupyter Remote Desktop
Version: 3.0.0+
Vulnerability: Network Exposure
Severity: Critical
Date: 2025-04-12
What Undercode Say:
Exploitation:
1. Scan for Open VNC Ports:
nmap -p 5900-5910 <target_ip>
2. Connect via VNC Client:
vncviewer <target_ip>:5901
3. Brute Force Weak Auth (if applicable):
hydra -P passwords.txt -t 4 -V <target_ip> vnc
Protection:
1. Force UNIX Socket Binding:
vncserver -rfbunixpath /tmp/vnc_socket
2. Block Network Access via Firewall:
iptables -A INPUT -p tcp --dport 5900:5910 -j DROP
3. Switch to TurboVNC:
sudo apt remove tigervnc-server && sudo apt install turbovnc
4. Patch Jupyter Proxy Config:
In jupyter config: c.RemoteDesktopProxy.vnc_args = ["-rfbunixpath", "/tmp/vnc_socket"]
Detection Script (Check for Exposure):
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
result = s.connect_ex(('localhost', 5901))
if result == 0:
print("VNC port exposed!")
else:
print("Port blocked.")
Mitigation Analytics:
- Affected Users: JupyterHub deployments with TigerVNC.
- Root Cause: Missing `-localhost yes` flag in TigerVNC.
- Fix Confirmation: Verify no TCP ports are open post-patch:
ss -tuln | grep 590
References:
Reported By: https://github.com/advisories/GHSA-vrq4-9hc3-cgp7
Extra Source Hub:
Undercode
