Detections
Analytics
MiracleLinux 7 : fltk-1.3.4-1.el7, tigervnc-1.8.0-1.el7 (AXSA:2017-2026:01)
critical Nessus Plugin ID 288894
Synopsis
The remote MiracleLinux host is missing one or more security updates.Description
The remote MiracleLinux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2017-2026:01 advisory.fltk FLTK (pronounced fulltick) is a cross-platform C GUI toolkit.
It provides modern GUI functionality without the bloat, and supports 3D graphics via OpenGL and its built-in GLUT emulation.
tigervnc Virtual Network Computing (VNC) is a remote display system which allows you to view a computing 'desktop' environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. This package contains a client which will allow you to connect to other desktops running a VNC server.
CVE-2016-10207 Adobe Flash Player before 18.0.0.343 and 19.x through 21.x before 21.0.0.213 on Windows and OS X and before 11.2.202.616 on Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2016-1012, CVE-2016-1021, CVE-2016-1022, CVE-2016-1023, CVE-2016-1024, CVE-2016-1025, CVE-2016-1026, CVE-2016-1027, CVE-2016-1028, CVE-2016-1029, CVE-2016-1032, and CVE-2016-1033.
CVE-2017-5581 Buffer overflow in the ModifiablePixelBuffer::fillRect function in TigerVNC before 1.7.1 allows remote servers to execute arbitrary code via an RRE message with subrectangle outside framebuffer boundaries.
CVE-2017-7392 In TigerVNC 1.7.1 (SSecurityVeNCrypt.cxx SSecurityVeNCrypt::SSecurityVeNCrypt), an unauthenticated client can cause a small memory leak in the server.
CVE-2017-7393 In TigerVNC 1.7.1 (VNCSConnectionST.cxx VNCSConnectionST::fence), an authenticated client can cause a double free, leading to denial of service or potentially code execution.
CVE-2017-7394 In TigerVNC 1.7.1 (SSecurityPlain.cxx SSecurityPlain::processMsg), unauthenticated users can crash the server by sending long usernames.
CVE-2017-7395 In TigerVNC 1.7.1 (SMsgReader.cxx SMsgReader::readClientCutText), by causing an integer overflow, an authenticated client can crash the server.
CVE-2017-7396 In TigerVNC 1.7.1 (CConnection.cxx CConnection::CConnection), an unauthenticated client can cause a small memory leak in the server.
Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Update the affected packages.See Also
Plugin Details
Severity: Critical
ID: 288894
File Name: miracle_linux_AXSA-2017-2026.nasl
Version: 1.1
Type: local
Published: 1/16/2026
Updated: 1/16/2026
Supported Sensors: Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 5.9
Vendor
Vendor Severity: Moderate
CVSS v2
Risk Factor: High
Base Score: 9.3
Temporal Score: 7.3
Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS Score Source: CVE-2016-1028
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Temporal Score: 8.8
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
CVSS Score Source: CVE-2017-5581
Vulnerability Information
CPE: p-cpe:/a:miracle:linux:tigervnc-icons, p-cpe:/a:miracle:linux:tigervnc-license, p-cpe:/a:miracle:linux:fltk, cpe:/o:miracle:linux:7, p-cpe:/a:miracle:linux:tigervnc, p-cpe:/a:miracle:linux:tigervnc-server, p-cpe:/a:miracle:linux:tigervnc-server-minimal
Required KB Items: Host/local_checks_enabled, Host/MiracleLinux/release, Host/MiracleLinux/rpm-list, Host/cpu
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 9/4/2017
Vulnerability Publication Date: 4/7/2016
Reference Information
CVE: CVE-2016-10207, CVE-2016-1024, CVE-2016-1028, CVE-2017-5581, CVE-2017-7392, CVE-2017-7393, CVE-2017-7394, CVE-2017-7395, CVE-2017-7396
IAVA: 2016-A-0087-S