Debian DLA-1979-1 : italc security update

High Nessus Plugin ID 130408

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 5.9

Synopsis

The remote Debian host is missing a security update.

Description

Several vulnerabilities have been identified in the VNC code of iTALC, a classroom management software. All vulnerabilities referenced below are issues that have originally been reported against Debian source package libvncserver. The italc source package in Debian ships a custom-patched version of libvncserver, thus libvncserver's security fixes required porting over.

CVE-2014-6051

Integer overflow in the MallocFrameBuffer function in vncviewer.c in LibVNCServer allowed remote VNC servers to cause a denial of service (crash) and possibly executed arbitrary code via an advertisement for a large screen size, which triggered a heap-based buffer overflow.

CVE-2014-6052

The HandleRFBServerMessage function in libvncclient/rfbproto.c in LibVNCServer did not check certain malloc return values, which allowed remote VNC servers to cause a denial of service (application crash) or possibly execute arbitrary code by specifying a large screen size in a (1) FramebufferUpdate, (2) ResizeFrameBuffer, or (3) PalmVNCReSizeFrameBuffer message.

CVE-2014-6053

The rfbProcessClientNormalMessage function in libvncserver/rfbserver.c in LibVNCServer did not properly handle attempts to send a large amount of ClientCutText data, which allowed remote attackers to cause a denial of service (memory consumption or daemon crash) via a crafted message that was processed by using a single unchecked malloc.

CVE-2014-6054

The rfbProcessClientNormalMessage function in libvncserver/rfbserver.c in LibVNCServer allowed remote attackers to cause a denial of service (divide-by-zero error and server crash) via a zero value in the scaling factor in a (1) PalmVNCSetScaleFactor or (2) SetScale message.

CVE-2014-6055

Multiple stack-based buffer overflows in the File Transfer feature in rfbserver.c in LibVNCServer allowed remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via a (1) long file or (2) directory name or the (3) FileTime attribute in a rfbFileTransferOffer message.

CVE-2016-9941

Heap-based buffer overflow in rfbproto.c in LibVNCClient in LibVNCServer allowed remote servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted FramebufferUpdate message containing a subrectangle outside of the client drawing area.

CVE-2016-9942

Heap-based buffer overflow in ultra.c in LibVNCClient in LibVNCServer allowed remote servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted FramebufferUpdate message with the Ultra type tile, such that the LZO payload decompressed length exceeded what is specified by the tile dimensions.

CVE-2018-6307

LibVNC contained heap use-after-free vulnerability in server code of file transfer extension that can result remote code execution.

CVE-2018-7225

An issue was discovered in LibVNCServer.
rfbProcessClientNormalMessage() in rfbserver.c did not sanitize msg.cct.length, leading to access to uninitialized and potentially sensitive data or possibly unspecified other impact (e.g., an integer overflow) via specially crafted VNC packets.

CVE-2018-15126

LibVNC contained heap use-after-free vulnerability in server code of file transfer extension that can result remote code execution.

CVE-2018-15127

LibVNC contained heap out-of-bound write vulnerability in server code of file transfer extension that can result remote code execution

CVE-2018-20749

LibVNC contained a heap out-of-bounds write vulnerability in libvncserver/rfbserver.c. The fix for CVE-2018-15127 was incomplete.

CVE-2018-20750

LibVNC contained a heap out-of-bounds write vulnerability in libvncserver/rfbserver.c. The fix for CVE-2018-15127 was incomplete.

CVE-2018-20019

LibVNC contained multiple heap out-of-bound write vulnerabilities in VNC client code that can result remote code execution

CVE-2018-20748

LibVNC contained multiple heap out-of-bounds write vulnerabilities in libvncclient/rfbproto.c. The fix for CVE-2018-20019 was incomplete.

CVE-2018-20020

LibVNC contained heap out-of-bound write vulnerability inside structure in VNC client code that can result remote code execution

CVE-2018-20021

LibVNC contained a CWE-835: Infinite loop vulnerability in VNC client code. Vulnerability allows attacker to consume excessive amount of resources like CPU and RAM

CVE-2018-20022

LibVNC contained multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC client code that allowed attackers to read stack memory and could be abused for information disclosure. Combined with another vulnerability, it could be used to leak stack memory layout and in bypassing ASLR.

CVE-2018-20023

LibVNC contained CWE-665: Improper Initialization vulnerability in VNC Repeater client code that allowed attacker to read stack memory and could be abused for information disclosure. Combined with another vulnerability, it could be used to leak stack memory layout and in bypassing ASLR.

CVE-2018-20024

LibVNC contained NULL pointer dereference in VNC client code that could result DoS.

CVE-2019-15681

LibVNC contained a memory leak (CWE-655) in VNC server code, which allowed an attacker to read stack memory and could be abused for information disclosure. Combined with another vulnerability, it could be used to leak stack memory and bypass ASLR. This attack appeared to be exploitable via network connectivity.

For Debian 8 'Jessie', these problems have been fixed in version 1:2.0.2+dfsg1-2+deb8u1.

We recommend that you upgrade your italc packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Upgrade the affected packages.

See Also

https://lists.debian.org/debian-lts-announce/2019/10/msg00042.html

https://packages.debian.org/source/jessie/italc

Plugin Details

Severity: High

ID: 130408

File Name: debian_DLA-1979.nasl

Version: 1.4

Type: local

Agent: unix

Published: 2019/10/31

Updated: 2020/09/23

Dependencies: 12634

Risk Information

Risk Factor: High

VPR Score: 5.9

CVSS Score Source: CVE-2018-7225

CVSS v2.0

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:U/RL:OF/RC:ND

CVSS v3.0

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:italc-client, p-cpe:/a:debian:debian_linux:italc-client-dbg, p-cpe:/a:debian:debian_linux:italc-management-console, p-cpe:/a:debian:debian_linux:italc-management-console-dbg, p-cpe:/a:debian:debian_linux:italc-master, p-cpe:/a:debian:debian_linux:italc-master-dbg, p-cpe:/a:debian:debian_linux:libitalccore, p-cpe:/a:debian:debian_linux:libitalccore-dbg, cpe:/o:debian:debian_linux:8.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2019/10/30

Vulnerability Publication Date: 2014/09/30

Reference Information

CVE: CVE-2014-6051, CVE-2014-6052, CVE-2014-6053, CVE-2014-6054, CVE-2014-6055, CVE-2016-9941, CVE-2016-9942, CVE-2018-15126, CVE-2018-15127, CVE-2018-20019, CVE-2018-20020, CVE-2018-20021, CVE-2018-20022, CVE-2018-20023, CVE-2018-20024, CVE-2018-20748, CVE-2018-20749, CVE-2018-20750, CVE-2018-6307, CVE-2018-7225, CVE-2019-15681

BID: 70091, 70092, 70093, 70094, 70096

IAVA: 2020-A-0381