https://bugs.kde.org/show_bug.cgi?id=502865

            Bug ID: 502865
           Summary: Security/UX - Allow configuring VNC listen address to
                    something other than 0.0.0.0/:: (Related to, but not a
                    duplicate of #255740)
    Classification: Applications
           Product: krfb
           Version: 24.12.3
          Platform: Arch Linux
                OS: Linux
            Status: REPORTED
          Severity: major
          Priority: NOR
         Component: general
          Assignee: grundleb...@googlemail.com
          Reporter: ty...@amick.us
  Target Milestone: ---

SUMMARY
Krfb does not allow the user to change the listen address from 0.0.0.0. The
user should be able to configure Krfb to listen on a specific IP instead of
every IP address on the system. To compound this, Krfb shows a "hint" IP that
may erroneously lead the user to believe that the VNC server is only accessible
on that IP address if they fail to read the informational dialog.

Most people's primary use case for this feature would be listening on
127.0.0.1, so they can only connect through an SSH tunnel. A well known issue
with the VNC protocol is that it only protects the password (weakly), leaving
all graphical information, keystrokes, and mouse movements completely
unprotected and able to be trivially captured with a tool like Wireshark.
Having the ability to configure the listen address to force the usage of SSH as
a transport completely eliminates this vector for eavesdropping. This approach
is also officially recommended by the developers of TightVNC. [^1]
Additionally, it would keep other devices on the network from probing at the
VNC server.

In addition to the above use case, my system has multiple interfaces and
multiple IP addresses, and I want to be able to configure Krfb to listen on my
primary LAN address instead of every interface on the system (some of which are
not fully trusted).

SUGGESTED FIX
Krfb already allows changing the default port. If I were implementing this, I'd
imagine the best UX would be to expand the port specification box so it will
also optionally accept a full listen address (e.g. "5900" will still work, but
":5900", "127.0.0.1:5900", "::1:5900", "192.168.1.2:5900", "0.0.0.0:5900", etc.
will all work as well). 

Additionally the "Connection Details" pane should reflect the actual listen
address instead of randomly selecting a single IP on the system. If the user is
using the default 0.0.0.0/:: listen addresses, it may also be helpful to
display all possible listening addresses (or whichever ones have an associated
default gateway) instead of selecting one seemingly randomly.

FURTHER NOTES
This bug is somewhat related to #255740, but it is not a duplicate. The user
should be able to change the listen address to anything they want, including
(but not limited to) localhost.

I have near-zero familiarity with Qt or C++, but I'm willing to take a crack at
writing a patch if anyone is willing to provide me with some guidance.

Thanks for your consideration,
--Tyler

[^1]:
https://www.tightvnc.com/faq.php#:~:text=In%20the%20mean%20time,untrusted%20networks

-- 
You are receiving this mail because:
You are watching all bug changes.

Reply via email to