https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18-029-libvnc-multiple-heap-out-of-bound-vulnerabilities/

[debian-lts-announce] 20181227 [SECURITY] [DLA 1617-1] libvncserver security update

[debian-lts-announce] 20191030 [SECURITY] [DLA 1979-1] italc security update

GLSA-201908-05

USN-3877-1

USN-4547-1

DSA-4383

The remote Ubuntu 16.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4587-1 advisory.

  - Integer overflow in the MallocFrameBuffer function in vncviewer.c in LibVNCServer 0.9.9 and earlier allows     remote VNC servers to cause a denial of service (crash) and possibly execute arbitrary code via an     advertisement for a large screen size, which triggers a heap-based buffer overflow. (CVE-2014-6051)

  - The HandleRFBServerMessage function in libvncclient/rfbproto.c in LibVNCServer 0.9.9 and earlier does not     check certain malloc return values, which allows remote VNC servers to cause a denial of service     (application crash) or possibly execute arbitrary code by specifying a large screen size in a (1)     FramebufferUpdate, (2) ResizeFrameBuffer, or (3) PalmVNCReSizeFrameBuffer message. (CVE-2014-6052)

  - The rfbProcessClientNormalMessage function in libvncserver/rfbserver.c in LibVNCServer 0.9.9 and earlier     does not properly handle attempts to send a large amount of ClientCutText data, which allows remote     attackers to cause a denial of service (memory consumption or daemon crash) via a crafted message that is     processed by using a single unchecked malloc. (CVE-2014-6053)

  - The rfbProcessClientNormalMessage function in libvncserver/rfbserver.c in LibVNCServer 0.9.9 and earlier     allows remote attackers to cause a denial of service (divide-by-zero error and server crash) via a zero     value in the scaling factor in a (1) PalmVNCSetScaleFactor or (2) SetScale message. (CVE-2014-6054)

  - Multiple stack-based buffer overflows in the File Transfer feature in rfbserver.c in LibVNCServer 0.9.9     and earlier allow remote authenticated users to cause a denial of service (crash) and possibly execute     arbitrary code via a (1) long file or (2) directory name or the (3) FileTime attribute in a     rfbFileTransferOffer message. (CVE-2014-6055)

  - Heap-based buffer overflow in rfbproto.c in LibVNCClient in LibVNCServer before 0.9.11 allows remote     servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted     FramebufferUpdate message containing a subrectangle outside of the client drawing area. (CVE-2016-9941)

  - Heap-based buffer overflow in ultra.c in LibVNCClient in LibVNCServer before 0.9.11 allows remote servers     to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted     FramebufferUpdate message with the Ultra type tile, such that the LZO payload decompressed length exceeds     what is specified by the tile dimensions. (CVE-2016-9942)

  - An issue was discovered in LibVNCServer through 0.9.11. rfbProcessClientNormalMessage() in rfbserver.c     does not sanitize msg.cct.length, leading to access to uninitialized and potentially sensitive data or     possibly unspecified other impact (e.g., an integer overflow) via specially crafted VNC packets.
    (CVE-2018-7225)

  - LibVNC before commit 502821828ed00b4a2c4bef90683d0fd88ce495de contains heap out-of-bound write     vulnerability in server code of file transfer extension that can result remote code execution     (CVE-2018-15127)

  - LibVNC before commit a83439b9fbe0f03c48eb94ed05729cb016f8b72f contains multiple heap out-of-bound write     vulnerabilities in VNC client code that can result remote code execution (CVE-2018-20019)

  - LibVNC before commit 7b1ef0ffc4815cab9a96c7278394152bdc89dc4d contains heap out-of-bound write     vulnerability inside structure in VNC client code that can result remote code execution (CVE-2018-20020)

  - LibVNC before commit c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c contains a CWE-835: Infinite loop     vulnerability in VNC client code. Vulnerability allows attacker to consume excessive amount of resources     like CPU and RAM (CVE-2018-20021)

  - LibVNC before 2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 contains multiple weaknesses CWE-665: Improper     Initialization vulnerability in VNC client code that allows attacker to read stack memory and can be abuse     for information disclosure. Combined with another vulnerability, it can be used to leak stack memory     layout and in bypassing ASLR (CVE-2018-20022)

  - LibVNC before 8b06f835e259652b0ff026898014fc7297ade858 contains CWE-665: Improper Initialization     vulnerability in VNC Repeater client code that allows attacker to read stack memory and can be abuse for     information disclosure. Combined with another vulnerability, it can be used to leak stack memory layout     and in bypassing ASLR (CVE-2018-20023)

  - LibVNC before commit 4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7 contains null pointer dereference in VNC     client code that can result DoS. (CVE-2018-20024)

  - LibVNC before 0.9.12 contains multiple heap out-of-bounds write vulnerabilities in     libvncclient/rfbproto.c. The fix for CVE-2018-20019 was incomplete. (CVE-2018-20748)

  - LibVNC before 0.9.12 contains a heap out-of-bounds write vulnerability in libvncserver/rfbserver.c. The     fix for CVE-2018-15127 was incomplete. (CVE-2018-20749)

  - LibVNC through 0.9.12 contains a heap out-of-bounds write vulnerability in libvncserver/rfbserver.c. The     fix for CVE-2018-15127 was incomplete. (CVE-2018-20750)

  - LibVNC commit before d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a contains a memory leak (CWE-655) in VNC     server code, which allow an attacker to read stack memory and can be abused for information disclosure.
    Combined with another vulnerability, it can be used to leak stack memory and bypass ASLR. This attack     appear to be exploitable via network connectivity. These vulnerabilities have been fixed in commit     d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a. (CVE-2019-15681)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 18.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4547-1 advisory.

  - An issue was discovered in LibVNCServer through 0.9.11. rfbProcessClientNormalMessage() in rfbserver.c     does not sanitize msg.cct.length, leading to access to uninitialized and potentially sensitive data or     possibly unspecified other impact (e.g., an integer overflow) via specially crafted VNC packets.
    (CVE-2018-7225)

  - LibVNC before commit 502821828ed00b4a2c4bef90683d0fd88ce495de contains heap out-of-bound write     vulnerability in server code of file transfer extension that can result remote code execution     (CVE-2018-15127)

  - LibVNC before commit a83439b9fbe0f03c48eb94ed05729cb016f8b72f contains multiple heap out-of-bound write     vulnerabilities in VNC client code that can result remote code execution (CVE-2018-20019)

  - LibVNC before commit 7b1ef0ffc4815cab9a96c7278394152bdc89dc4d contains heap out-of-bound write     vulnerability inside structure in VNC client code that can result remote code execution (CVE-2018-20020)

  - LibVNC before commit c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c contains a CWE-835: Infinite loop     vulnerability in VNC client code. Vulnerability allows attacker to consume excessive amount of resources     like CPU and RAM (CVE-2018-20021)

  - LibVNC before 2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 contains multiple weaknesses CWE-665: Improper     Initialization vulnerability in VNC client code that allows attacker to read stack memory and can be abuse     for information disclosure. Combined with another vulnerability, it can be used to leak stack memory     layout and in bypassing ASLR (CVE-2018-20022)

  - LibVNC before 8b06f835e259652b0ff026898014fc7297ade858 contains CWE-665: Improper Initialization     vulnerability in VNC Repeater client code that allows attacker to read stack memory and can be abuse for     information disclosure. Combined with another vulnerability, it can be used to leak stack memory layout     and in bypassing ASLR (CVE-2018-20023)

  - LibVNC before commit 4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7 contains null pointer dereference in VNC     client code that can result DoS. (CVE-2018-20024)

  - LibVNC before 0.9.12 contains multiple heap out-of-bounds write vulnerabilities in     libvncclient/rfbproto.c. The fix for CVE-2018-20019 was incomplete. (CVE-2018-20748)

  - LibVNC before 0.9.12 contains a heap out-of-bounds write vulnerability in libvncserver/rfbserver.c. The     fix for CVE-2018-15127 was incomplete. (CVE-2018-20749)

  - LibVNC through 0.9.12 contains a heap out-of-bounds write vulnerability in libvncserver/rfbserver.c. The     fix for CVE-2018-15127 was incomplete. (CVE-2018-20750)

  - LibVNC commit before d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a contains a memory leak (CWE-655) in VNC     server code, which allow an attacker to read stack memory and can be abused for information disclosure.
    Combined with another vulnerability, it can be used to leak stack memory and bypass ASLR. This attack     appear to be exploitable via network connectivity. These vulnerabilities have been fixed in commit     d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a. (CVE-2019-15681)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Several vulnerabilities have been identified in the VNC code of iTALC, a classroom management software. All vulnerabilities referenced below are issues that have originally been reported against Debian source package libvncserver. The italc source package in Debian ships a custom-patched version of libvncserver, thus libvncserver's security fixes required porting over.

CVE-2014-6051

Integer overflow in the MallocFrameBuffer function in vncviewer.c in LibVNCServer allowed remote VNC servers to cause a denial of service (crash) and possibly executed arbitrary code via an advertisement for a large screen size, which triggered a heap-based buffer overflow.

CVE-2014-6052

The HandleRFBServerMessage function in libvncclient/rfbproto.c in LibVNCServer did not check certain malloc return values, which allowed remote VNC servers to cause a denial of service (application crash) or possibly execute arbitrary code by specifying a large screen size in a (1) FramebufferUpdate, (2) ResizeFrameBuffer, or (3) PalmVNCReSizeFrameBuffer message.

CVE-2014-6053

The rfbProcessClientNormalMessage function in libvncserver/rfbserver.c in LibVNCServer did not properly handle attempts to send a large amount of ClientCutText data, which allowed remote attackers to cause a denial of service (memory consumption or daemon crash) via a crafted message that was processed by using a single unchecked malloc.

CVE-2014-6054

The rfbProcessClientNormalMessage function in libvncserver/rfbserver.c in LibVNCServer allowed remote attackers to cause a denial of service (divide-by-zero error and server crash) via a zero value in the scaling factor in a (1) PalmVNCSetScaleFactor or (2) SetScale message.

CVE-2014-6055

Multiple stack-based buffer overflows in the File Transfer feature in rfbserver.c in LibVNCServer allowed remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via a (1) long file or (2) directory name or the (3) FileTime attribute in a rfbFileTransferOffer message.

CVE-2016-9941

Heap-based buffer overflow in rfbproto.c in LibVNCClient in LibVNCServer allowed remote servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted FramebufferUpdate message containing a subrectangle outside of the client drawing area.

CVE-2016-9942

Heap-based buffer overflow in ultra.c in LibVNCClient in LibVNCServer allowed remote servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted FramebufferUpdate message with the Ultra type tile, such that the LZO payload decompressed length exceeded what is specified by the tile dimensions.

CVE-2018-6307

LibVNC contained heap use-after-free vulnerability in server code of file transfer extension that can result remote code execution.

CVE-2018-7225

An issue was discovered in LibVNCServer.
rfbProcessClientNormalMessage() in rfbserver.c did not sanitize msg.cct.length, leading to access to uninitialized and potentially sensitive data or possibly unspecified other impact (e.g., an integer overflow) via specially crafted VNC packets.

CVE-2018-15126

LibVNC contained heap use-after-free vulnerability in server code of file transfer extension that can result remote code execution.

CVE-2018-15127

LibVNC contained heap out-of-bound write vulnerability in server code of file transfer extension that can result remote code execution

CVE-2018-20749

LibVNC contained a heap out-of-bounds write vulnerability in libvncserver/rfbserver.c. The fix for CVE-2018-15127 was incomplete.

CVE-2018-20750

LibVNC contained a heap out-of-bounds write vulnerability in libvncserver/rfbserver.c. The fix for CVE-2018-15127 was incomplete.

CVE-2018-20019

LibVNC contained multiple heap out-of-bound write vulnerabilities in VNC client code that can result remote code execution

CVE-2018-20748

LibVNC contained multiple heap out-of-bounds write vulnerabilities in libvncclient/rfbproto.c. The fix for CVE-2018-20019 was incomplete.

CVE-2018-20020

LibVNC contained heap out-of-bound write vulnerability inside structure in VNC client code that can result remote code execution

CVE-2018-20021

LibVNC contained a CWE-835: Infinite loop vulnerability in VNC client code. Vulnerability allows attacker to consume excessive amount of resources like CPU and RAM

CVE-2018-20022

LibVNC contained multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC client code that allowed attackers to read stack memory and could be abused for information disclosure. Combined with another vulnerability, it could be used to leak stack memory layout and in bypassing ASLR.

CVE-2018-20023

LibVNC contained CWE-665: Improper Initialization vulnerability in VNC Repeater client code that allowed attacker to read stack memory and could be abused for information disclosure. Combined with another vulnerability, it could be used to leak stack memory layout and in bypassing ASLR.

CVE-2018-20024

LibVNC contained NULL pointer dereference in VNC client code that could result DoS.

CVE-2019-15681

LibVNC contained a memory leak (CWE-655) in VNC server code, which allowed an attacker to read stack memory and could be abused for information disclosure. Combined with another vulnerability, it could be used to leak stack memory and bypass ASLR. This attack appeared to be exploitable via network connectivity.

For Debian 8 'Jessie', these problems have been fixed in version 1:2.0.2+dfsg1-2+deb8u1.

We recommend that you upgrade your italc packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201908-05 (LibVNCServer: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in LibVNCServer. Please       review the CVE identifiers referenced below for details.
  Impact :

    Please review the referenced CVE identifiers for details.
  Workaround :

    There is no known workaround at this time.

According to the versions of the libvncserver package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - LibVNC before 0.9.12 contains multiple heap     out-of-bounds write vulnerabilities in     libvncclient/rfbproto.c. The fix for CVE-2018-20019 was     incomplete.(CVE-2018-20748)

  - LibVNC before 0.9.12 contains a heap out-of-bounds     write vulnerability in libvncserver/rfbserver.c. The     fix for CVE-2018-15127 was incomplete.(CVE-2018-20749)

  - LibVNC through 0.9.12 contains a heap out-of-bounds     write vulnerability in libvncserver/rfbserver.c. The     fix for CVE-2018-15127 was incomplete.(CVE-2018-20750)

  - LibVNC before commit     7b1ef0ffc4815cab9a96c7278394152bdc89dc4d contains heap     out-of-bound write vulnerability inside structure in     VNC client code that can result remote code     execution(CVE-2018-20020)

  - LibVNC before commit     ca2a5ac02fbbadd0a21fabba779c1ea69173d10b contains heap     use-after-free vulnerability in server code of file     transfer extension that can result remote code     execution.(CVE-2018-6307)

  - LibVNC before commit     73cb96fec028a576a5a24417b57723b55854ad7b contains heap     use-after-free vulnerability in server code of file     transfer extension that can result remote code     execution(CVE-2018-15126)

  - LibVNC before commit     a83439b9fbe0f03c48eb94ed05729cb016f8b72f contains     multiple heap out-of-bound write vulnerabilities in VNC     client code that can result remote code     execution(CVE-2018-20019)

  - LibVNC before 2f5b2ad1c6c99b1ac6482c95844a84d66bb52838     contains multiple weaknesses CWE-665: Improper     Initialization vulnerability in VNC client code that     allows attacker to read stack memory and can be abuse     for information disclosure. Combined with another     vulnerability, it can be used to leak stack memory     layout and in bypassing ASLR(CVE-2018-20022)

  - LibVNC before commit     4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7 contains null     pointer dereference in VNC client code that can result     DoS.(CVE-2018-20024)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the libvncserver package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - libvncserver: Heap out-of-bounds write in rfbserver.c     in rfbProcessFileTransferReadBuffer() allows for     potential code execution (CVE-2018-15127)

  - LibVNC before commit     7b1ef0ffc4815cab9a96c7278394152bdc89dc4d contains heap     out-of-bound write vulnerability inside structure in     VNC client code that can result remote code     execution(CVE-2018-20020)

  - LibVNC before commit     ca2a5ac02fbbadd0a21fabba779c1ea69173d10b contains heap     use-after-free vulnerability in server code of file     transfer extension that can result remote code     execution.(CVE-2018-6307)

  - LibVNC before commit     73cb96fec028a576a5a24417b57723b55854ad7b contains heap     use-after-free vulnerability in server code of file     transfer extension that can result remote code     execution(CVE-2018-15126)

  - LibVNC before commit     a83439b9fbe0f03c48eb94ed05729cb016f8b72f contains     multiple heap out-of-bound write vulnerabilities in VNC     client code that can result remote code     execution(CVE-2018-20019)

  - LibVNC before 2f5b2ad1c6c99b1ac6482c95844a84d66bb52838     contains multiple weaknesses CWE-665: Improper     Initialization vulnerability in VNC client code that     allows attacker to read stack memory and can be abuse     for information disclosure. Combined with another     vulnerability, it can be used to leak stack memory     layout and in bypassing ASLR(CVE-2018-20022)

  - LibVNC before commit     4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7 contains null     pointer dereference in VNC client code that can result     DoS.(CVE-2018-20024)

  - LibVNC before 0.9.12 contains multiple heap     out-of-bounds write vulnerabilities in     libvncclient/rfbproto.c. The fix for CVE-2018-20019 was     incomplete.(CVE-2018-20748)

  - LibVNC before 0.9.12 contains a heap out-of-bounds     write vulnerability in libvncserver/rfbserver.c. The     fix for CVE-2018-15127 was incomplete.(CVE-2018-20749)

  - LibVNC through 0.9.12 contains a heap out-of-bounds     write vulnerability in libvncserver/rfbserver.c. The     fix for CVE-2018-15127 was incomplete.(CVE-2018-20750)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the libvncserver package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - libvncserver: Heap out-of-bounds write in rfbserver.c     in rfbProcessFileTransferReadBuffer() allows for     potential code execution (CVE-2018-15127)

  - LibVNC before commit     7b1ef0ffc4815cab9a96c7278394152bdc89dc4d contains heap     out-of-bound write vulnerability inside structure in     VNC client code that can result remote code     execution(CVE-2018-20020)

  - LibVNC before commit     ca2a5ac02fbbadd0a21fabba779c1ea69173d10b contains heap     use-after-free vulnerability in server code of file     transfer extension that can result remote code     execution.(CVE-2018-6307)

  - LibVNC before commit     73cb96fec028a576a5a24417b57723b55854ad7b contains heap     use-after-free vulnerability in server code of file     transfer extension that can result remote code     execution(CVE-2018-15126)

  - LibVNC before commit     a83439b9fbe0f03c48eb94ed05729cb016f8b72f contains     multiple heap out-of-bound write vulnerabilities in VNC     client code that can result remote code     execution(CVE-2018-20019)

  - LibVNC before 2f5b2ad1c6c99b1ac6482c95844a84d66bb52838     contains multiple weaknesses CWE-665: Improper     Initialization vulnerability in VNC client code that     allows attacker to read stack memory and can be abuse     for information disclosure. Combined with another     vulnerability, it can be used to leak stack memory     layout and in bypassing ASLR(CVE-2018-20022)

  - LibVNC before commit     4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7 contains null     pointer dereference in VNC client code that can result     DoS.(CVE-2018-20024)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Pavel Cheremushkin discovered several vulnerabilities in libvncserver, a library to implement VNC server/client functionalities, which might result in the execution of arbitrary code, denial of service or information disclosure.

It was discovered that LibVNCServer incorrectly handled certain operations. A remote attacker able to connect to applications using LibVNCServer could possibly use this issue to obtain sensitive information, cause a denial of service, or execute arbitrary code.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for LibVNCServer fixes the following issues :

Security issues fixed :

  - CVE-2018-15126: Fixed use-after-free in file transfer     extension (bsc#1120114)

  - CVE-2018-6307: Fixed use-after-free in file transfer     extension server code (bsc#1120115)

  - CVE-2018-20020: Fixed heap out-of-bound write inside     structure in VNC client code (bsc#1120116)

  - CVE-2018-15127: Fixed heap out-of-bounds write in     rfbserver.c (bsc#1120117)

  - CVE-2018-20019: Fixed multiple heap out-of-bound writes     in VNC client code (bsc#1120118)

  - CVE-2018-20023: Fixed information disclosure through     improper initialization in VNC Repeater client code     (bsc#1120119)

  - CVE-2018-20022: Fixed information disclosure through     improper initialization in VNC client code (bsc#1120120)

  - CVE-2018-20024: Fixed NULL pointer dereference in VNC     client code (bsc#1120121)

  - CVE-2018-20021: Fixed infinite loop in VNC client code     (bsc#1120122)

This update was imported from the SUSE:SLE-15:Update update project.

This update for LibVNCServer fixes the following issues :

Security issues fixed :

CVE-2018-15126: Fixed use-after-free in file transfer extension (bsc#1120114)

CVE-2018-6307: Fixed use-after-free in file transfer extension server code (bsc#1120115)

CVE-2018-20020: Fixed heap out-of-bound write inside structure in VNC client code (bsc#1120116)

CVE-2018-15127: Fixed heap out-of-bounds write in rfbserver.c (bsc#1120117)

CVE-2018-20019: Fixed multiple heap out-of-bound writes in VNC client code (bsc#1120118)

CVE-2018-20022: Fixed information disclosure through improper initialization in VNC client code (bsc#1120120)

CVE-2018-20024: Fixed NULL pointer dereference in VNC client code (bsc#1120121)

CVE-2018-20021: Fixed infinite loop in VNC client code (bsc#1120122)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for LibVNCServer fixes the following issues :

Security issues fixed :

CVE-2018-15126: Fixed use-after-free in file transfer extension (bsc#1120114)

CVE-2018-6307: Fixed use-after-free in file transfer extension server code (bsc#1120115)

CVE-2018-20020: Fixed heap out-of-bound write inside structure in VNC client code (bsc#1120116)

CVE-2018-15127: Fixed heap out-of-bounds write in rfbserver.c (bsc#1120117)

CVE-2018-20019: Fixed multiple heap out-of-bound writes in VNC client code (bsc#1120118)

CVE-2018-20023: Fixed information disclosure through improper initialization in VNC Repeater client code (bsc#1120119)

CVE-2018-20022: Fixed information disclosure through improper initialization in VNC client code (bsc#1120120)

CVE-2018-20024: Fixed NULL pointer dereference in VNC client code (bsc#1120121)

CVE-2018-20021: Fixed infinite loop in VNC client code (bsc#1120122)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for LibVNCServer fixes the following issues :

Security issues fixed :

  - CVE-2018-15126: Fixed use-after-free in file transfer     extension (bsc#1120114)

  - CVE-2018-6307: Fixed use-after-free in file transfer     extension server code (bsc#1120115)

  - CVE-2018-20020: Fixed heap out-of-bound write inside     structure in VNC client code (bsc#1120116)

  - CVE-2018-15127: Fixed heap out-of-bounds write in     rfbserver.c (bsc#1120117)

  - CVE-2018-20019: Fixed multiple heap out-of-bound writes     in VNC client code (bsc#1120118)

  - CVE-2018-20023: Fixed information disclosure through     improper initialization in VNC Repeater client code     (bsc#1120119)

  - CVE-2018-20022: Fixed information disclosure through     improper initialization in VNC client code (bsc#1120120)

  - CVE-2018-20024: Fixed NULL pointer dereference in VNC     client code (bsc#1120121)

  - CVE-2018-20021: Fixed infinite loop in VNC client code     (bsc#1120122)

This update was imported from the SUSE:SLE-12:Update update project.

Kaspersky Lab discovered several vulnerabilities in libvncserver, a C library to implement VNC server/client functionalities.

CVE-2018-6307

a heap use-after-free vulnerability in the server code of the file transfer extension, which can result in remote code execution. This attack appears to be exploitable via network connectivity.

CVE-2018-15127

contains a heap out-of-bound write vulnerability in the server code of the file transfer extension, which can result in remote code execution. This attack appears to be exploitable via network connectivity.

CVE-2018-20019

multiple heap out-of-bound write vulnerabilities in VNC client code, which can result in remote code execution.

CVE-2018-20020

heap out-of-bound write vulnerability in a structure in VNC client code, which can result in remote code execution.

CVE-2018-20021

CWE-835: Infinite Loop vulnerability in VNC client code. The vulnerability could allow an attacker to consume an excessive amount of resources, such as CPU and RAM.

CVE-2018-20022

CWE-665: Improper Initialization weaknesses in VNC client code, which could allow an attacker to read stack memory and can be abused for information disclosure. Combined with another vulnerability, it can be used to leak stack memory layout and bypass ASLR.

CVE-2018-20023

Improper Initialization vulnerability in VNC Repeater client code, which could allow an attacker to read stack memory and can be abused for information disclosure. Combined with another vulnerability, it can be used to leak stack memory layout and bypass ASLR.

CVE-2018-20024

a NULL pointer dereference in VNC client code, which can result in DoS.

For Debian 8 'Jessie', these problems have been fixed in version 0.9.9+dfsg2-6.1+deb8u4.

We recommend that you upgrade your libvncserver packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
141545	Ubuntu 16.04 LTS : iTALC vulnerabilities (USN-4587-1)	Nessus	Ubuntu Local Security Checks	high
140920	Ubuntu 18.04 LTS : iTALC vulnerabilities (USN-4547-1)	Nessus	Ubuntu Local Security Checks	high
130408	Debian DLA-1979-1 : italc security update	Nessus	Debian Local Security Checks	high
127563	GLSA-201908-05 : LibVNCServer: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
123109	EulerOS 2.0 SP3 : libvncserver (EulerOS-SA-2019-1096)	Nessus	Huawei Local Security Checks	high
122378	EulerOS 2.0 SP2 : libvncserver (EulerOS-SA-2019-1051)	Nessus	Huawei Local Security Checks	high
122206	EulerOS 2.0 SP5 : libvncserver (EulerOS-SA-2019-1033)	Nessus	Huawei Local Security Checks	high
121561	Debian DSA-4383-1 : libvncserver - security update	Nessus	Debian Local Security Checks	high
121541	Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : LibVNCServer vulnerabilities (USN-3877-1)	Nessus	Ubuntu Local Security Checks	high
121282	openSUSE Security Update : LibVNCServer (openSUSE-2019-53)	Nessus	SuSE Local Security Checks	high
121160	SUSE SLES11 Security Update : LibVNCServer (SUSE-SU-2019:13927-1)	Nessus	SuSE Local Security Checks	high
121158	SUSE SLED15 / SLES15 Security Update : LibVNCServer (SUSE-SU-2019:0080-1)	Nessus	SuSE Local Security Checks	high
121154	openSUSE Security Update : LibVNCServer (openSUSE-2019-45)	Nessus	SuSE Local Security Checks	high
121094	SUSE SLES12 Security Update : LibVNCServer (SUSE-SU-2019:0060-1)	Nessus	SuSE Local Security Checks	high
119877	Debian DLA-1617-1 : libvncserver security update	Nessus	Debian Local Security Checks	high

CVE-2018-20019

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins