Vulnerabilities > CVE-2018-15127 - Out-of-bounds Write vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
LibVNC before commit 502821828ed00b4a2c4bef90683d0fd88ce495de contains heap out-of-bound write vulnerability in server code of file transfer extension that can result remote code execution
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 | |
| OS | 4 | |
| OS | 6 | |
| OS | 2 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2019-0059.NASL description An update for libvncserver is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. LibVNCServer is a C library that enables you to implement VNC server functionality into own programs. Security Fix(es) : * libvncserver: Heap out-of-bounds write in rfbserver.c in rfbProcessFileTransferReadBuffer() allows for potential code execution (CVE-2018-15127) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-03-18 modified 2019-01-16 plugin id 121203 published 2019-01-16 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121203 title RHEL 7 : libvncserver (RHSA-2019:0059) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2019:0059. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(121203); script_version("1.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/24"); script_cve_id("CVE-2018-15127"); script_xref(name:"RHSA", value:"2019:0059"); script_name(english:"RHEL 7 : libvncserver (RHSA-2019:0059)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An update for libvncserver is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. LibVNCServer is a C library that enables you to implement VNC server functionality into own programs. Security Fix(es) : * libvncserver: Heap out-of-bounds write in rfbserver.c in rfbProcessFileTransferReadBuffer() allows for potential code execution (CVE-2018-15127) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2019:0059" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2018-15127" ); script_set_attribute( attribute:"solution", value: "Update the affected libvncserver, libvncserver-debuginfo and / or libvncserver-devel packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libvncserver"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libvncserver-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libvncserver-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.6"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/12/19"); script_set_attribute(attribute:"patch_publication_date", value:"2019/01/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/16"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2019:0059"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL7", cpu:"i686", reference:"libvncserver-0.9.9-13.el7_6")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"libvncserver-0.9.9-13.el7_6")) flag++; if (rpm_check(release:"RHEL7", cpu:"i686", reference:"libvncserver-debuginfo-0.9.9-13.el7_6")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"libvncserver-debuginfo-0.9.9-13.el7_6")) flag++; if (rpm_check(release:"RHEL7", cpu:"i686", reference:"libvncserver-devel-0.9.9-13.el7_6")) flag++; if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"libvncserver-devel-0.9.9-13.el7_6")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libvncserver / libvncserver-debuginfo / libvncserver-devel"); } }NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3877-1.NASL description It was discovered that LibVNCServer incorrectly handled certain operations. A remote attacker able to connect to applications using LibVNCServer could possibly use this issue to obtain sensitive information, cause a denial of service, or execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-18 modified 2019-02-01 plugin id 121541 published 2019-02-01 reporter Ubuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121541 title Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : libvncserver vulnerabilities (USN-3877-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-3877-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(121541); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/20"); script_cve_id("CVE-2018-15126", "CVE-2018-15127", "CVE-2018-20019", "CVE-2018-20020", "CVE-2018-20021", "CVE-2018-20022", "CVE-2018-20023", "CVE-2018-20024", "CVE-2018-20748", "CVE-2018-20749", "CVE-2018-20750", "CVE-2018-6307"); script_xref(name:"USN", value:"3877-1"); script_name(english:"Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : libvncserver vulnerabilities (USN-3877-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "It was discovered that LibVNCServer incorrectly handled certain operations. A remote attacker able to connect to applications using LibVNCServer could possibly use this issue to obtain sensitive information, cause a denial of service, or execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/3877-1/" ); script_set_attribute( attribute:"solution", value: "Update the affected libvncclient1, libvncserver0 and / or libvncserver1 packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-20750"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libvncclient1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libvncserver0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libvncserver1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.10"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/12/19"); script_set_attribute(attribute:"patch_publication_date", value:"2019/01/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/01"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(14\.04|16\.04|18\.04|18\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04 / 16.04 / 18.04 / 18.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"14.04", pkgname:"libvncserver0", pkgver:"0.9.9+dfsg-1ubuntu1.4")) flag++; if (ubuntu_check(osver:"16.04", pkgname:"libvncclient1", pkgver:"0.9.10+dfsg-3ubuntu0.16.04.3")) flag++; if (ubuntu_check(osver:"16.04", pkgname:"libvncserver1", pkgver:"0.9.10+dfsg-3ubuntu0.16.04.3")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"libvncclient1", pkgver:"0.9.11+dfsg-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"libvncserver1", pkgver:"0.9.11+dfsg-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"18.10", pkgname:"libvncclient1", pkgver:"0.9.11+dfsg-1.1ubuntu0.1")) flag++; if (ubuntu_check(osver:"18.10", pkgname:"libvncserver1", pkgver:"0.9.11+dfsg-1.1ubuntu0.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libvncclient1 / libvncserver0 / libvncserver1"); }NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1032.NASL description According to the version of the libvncserver package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - libvncserver: Heap out-of-bounds write in rfbserver.c in rfbProcessFileTransferReadBuffer() allows for potential code execution (CVE-2018-15127) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2019-02-15 plugin id 122205 published 2019-02-15 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122205 title EulerOS 2.0 SP3 : libvncserver (EulerOS-SA-2019-1032) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(122205); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04"); script_cve_id( "CVE-2018-15127" ); script_name(english:"EulerOS 2.0 SP3 : libvncserver (EulerOS-SA-2019-1032)"); script_summary(english:"Checks the rpm output for the updated package."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS host is missing a security update."); script_set_attribute(attribute:"description", value: "According to the version of the libvncserver package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - libvncserver: Heap out-of-bounds write in rfbserver.c in rfbProcessFileTransferReadBuffer() allows for potential code execution (CVE-2018-15127) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1032 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8741bf7f"); script_set_attribute(attribute:"solution", value: "Update the affected libvncserver package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"patch_publication_date", value:"2019/01/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/15"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libvncserver"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp"); script_exclude_keys("Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0"); sp = get_kb_item("Host/EulerOS/sp"); if (isnull(sp) || sp !~ "^(3)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP3"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP3", "EulerOS UVP " + uvp); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu); flag = 0; pkgs = ["libvncserver-0.9.9-12.h2"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", sp:"3", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libvncserver"); }NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2019-0059.NASL description An update for libvncserver is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. LibVNCServer is a C library that enables you to implement VNC server functionality into own programs. Security Fix(es) : * libvncserver: Heap out-of-bounds write in rfbserver.c in rfbProcessFileTransferReadBuffer() allows for potential code execution (CVE-2018-15127) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-03-17 modified 2019-01-17 plugin id 121216 published 2019-01-17 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121216 title CentOS 7 : libvncserver (CESA-2019:0059) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4383.NASL description Pavel Cheremushkin discovered several vulnerabilities in libvncserver, a library to implement VNC server/client functionalities, which might result in the execution of arbitrary code, denial of service or information disclosure. last seen 2020-03-17 modified 2019-02-04 plugin id 121561 published 2019-02-04 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121561 title Debian DSA-4383-1 : libvncserver - security update NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-13927-1.NASL description This update for LibVNCServer fixes the following issues : Security issues fixed : CVE-2018-15126: Fixed use-after-free in file transfer extension (bsc#1120114) CVE-2018-6307: Fixed use-after-free in file transfer extension server code (bsc#1120115) CVE-2018-20020: Fixed heap out-of-bound write inside structure in VNC client code (bsc#1120116) CVE-2018-15127: Fixed heap out-of-bounds write in rfbserver.c (bsc#1120117) CVE-2018-20019: Fixed multiple heap out-of-bound writes in VNC client code (bsc#1120118) CVE-2018-20022: Fixed information disclosure through improper initialization in VNC client code (bsc#1120120) CVE-2018-20024: Fixed NULL pointer dereference in VNC client code (bsc#1120121) CVE-2018-20021: Fixed infinite loop in VNC client code (bsc#1120122) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-18 modified 2019-01-14 plugin id 121160 published 2019-01-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121160 title SUSE SLES11 Security Update : LibVNCServer (SUSE-SU-2019:13927-1) NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-45.NASL description This update for LibVNCServer fixes the following issues : Security issues fixed : - CVE-2018-15126: Fixed use-after-free in file transfer extension (bsc#1120114) - CVE-2018-6307: Fixed use-after-free in file transfer extension server code (bsc#1120115) - CVE-2018-20020: Fixed heap out-of-bound write inside structure in VNC client code (bsc#1120116) - CVE-2018-15127: Fixed heap out-of-bounds write in rfbserver.c (bsc#1120117) - CVE-2018-20019: Fixed multiple heap out-of-bound writes in VNC client code (bsc#1120118) - CVE-2018-20023: Fixed information disclosure through improper initialization in VNC Repeater client code (bsc#1120119) - CVE-2018-20022: Fixed information disclosure through improper initialization in VNC client code (bsc#1120120) - CVE-2018-20024: Fixed NULL pointer dereference in VNC client code (bsc#1120121) - CVE-2018-20021: Fixed infinite loop in VNC client code (bsc#1120122) This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-03-18 modified 2019-01-14 plugin id 121154 published 2019-01-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121154 title openSUSE Security Update : LibVNCServer (openSUSE-2019-45) NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-0080-1.NASL description This update for LibVNCServer fixes the following issues : Security issues fixed : CVE-2018-15126: Fixed use-after-free in file transfer extension (bsc#1120114) CVE-2018-6307: Fixed use-after-free in file transfer extension server code (bsc#1120115) CVE-2018-20020: Fixed heap out-of-bound write inside structure in VNC client code (bsc#1120116) CVE-2018-15127: Fixed heap out-of-bounds write in rfbserver.c (bsc#1120117) CVE-2018-20019: Fixed multiple heap out-of-bound writes in VNC client code (bsc#1120118) CVE-2018-20023: Fixed information disclosure through improper initialization in VNC Repeater client code (bsc#1120119) CVE-2018-20022: Fixed information disclosure through improper initialization in VNC client code (bsc#1120120) CVE-2018-20024: Fixed NULL pointer dereference in VNC client code (bsc#1120121) CVE-2018-20021: Fixed infinite loop in VNC client code (bsc#1120122) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-18 modified 2019-01-14 plugin id 121158 published 2019-01-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121158 title SUSE SLED15 / SLES15 Security Update : LibVNCServer (SUSE-SU-2019:0080-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1051.NASL description According to the versions of the libvncserver package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - libvncserver: Heap out-of-bounds write in rfbserver.c in rfbProcessFileTransferReadBuffer() allows for potential code execution (CVE-2018-15127) - LibVNC before commit 7b1ef0ffc4815cab9a96c7278394152bdc89dc4d contains heap out-of-bound write vulnerability inside structure in VNC client code that can result remote code execution(CVE-2018-20020) - LibVNC before commit ca2a5ac02fbbadd0a21fabba779c1ea69173d10b contains heap use-after-free vulnerability in server code of file transfer extension that can result remote code execution.(CVE-2018-6307) - LibVNC before commit 73cb96fec028a576a5a24417b57723b55854ad7b contains heap use-after-free vulnerability in server code of file transfer extension that can result remote code execution(CVE-2018-15126) - LibVNC before commit a83439b9fbe0f03c48eb94ed05729cb016f8b72f contains multiple heap out-of-bound write vulnerabilities in VNC client code that can result remote code execution(CVE-2018-20019) - LibVNC before 2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 contains multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC client code that allows attacker to read stack memory and can be abuse for information disclosure. Combined with another vulnerability, it can be used to leak stack memory layout and in bypassing ASLR(CVE-2018-20022) - LibVNC before commit 4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7 contains null pointer dereference in VNC client code that can result DoS.(CVE-2018-20024) - LibVNC before 0.9.12 contains multiple heap out-of-bounds write vulnerabilities in libvncclient/rfbproto.c. The fix for CVE-2018-20019 was incomplete.(CVE-2018-20748) - LibVNC before 0.9.12 contains a heap out-of-bounds write vulnerability in libvncserver/rfbserver.c. The fix for CVE-2018-15127 was incomplete.(CVE-2018-20749) - LibVNC through 0.9.12 contains a heap out-of-bounds write vulnerability in libvncserver/rfbserver.c. The fix for CVE-2018-15127 was incomplete.(CVE-2018-20750) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2019-02-22 plugin id 122378 published 2019-02-22 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122378 title EulerOS 2.0 SP2 : libvncserver (EulerOS-SA-2019-1051) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1068.NASL description According to the versions of the libvncserver package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - LibVNC before 0.9.12 contains multiple heap out-of-bounds write vulnerabilities in libvncclient/rfbproto.c. The fix for CVE-2018-20019 was incomplete.(CVE-2018-20748) - LibVNC before 0.9.12 contains a heap out-of-bounds write vulnerability in libvncserver/rfbserver.c. The fix for CVE-2018-15127 was incomplete.(CVE-2018-20749) - LibVNC through 0.9.12 contains a heap out-of-bounds write vulnerability in libvncserver/rfbserver.c. The fix for CVE-2018-15127 was incomplete.(CVE-2018-20750) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2019-03-08 plugin id 122691 published 2019-03-08 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122691 title EulerOS 2.0 SP5 : libvncserver (EulerOS-SA-2019-1068) NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-53.NASL description This update for LibVNCServer fixes the following issues : Security issues fixed : - CVE-2018-15126: Fixed use-after-free in file transfer extension (bsc#1120114) - CVE-2018-6307: Fixed use-after-free in file transfer extension server code (bsc#1120115) - CVE-2018-20020: Fixed heap out-of-bound write inside structure in VNC client code (bsc#1120116) - CVE-2018-15127: Fixed heap out-of-bounds write in rfbserver.c (bsc#1120117) - CVE-2018-20019: Fixed multiple heap out-of-bound writes in VNC client code (bsc#1120118) - CVE-2018-20023: Fixed information disclosure through improper initialization in VNC Repeater client code (bsc#1120119) - CVE-2018-20022: Fixed information disclosure through improper initialization in VNC client code (bsc#1120120) - CVE-2018-20024: Fixed NULL pointer dereference in VNC client code (bsc#1120121) - CVE-2018-20021: Fixed infinite loop in VNC client code (bsc#1120122) This update was imported from the SUSE:SLE-15:Update update project. last seen 2020-03-18 modified 2019-01-22 plugin id 121282 published 2019-01-22 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121282 title openSUSE Security Update : LibVNCServer (openSUSE-2019-53) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1033.NASL description According to the versions of the libvncserver package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - libvncserver: Heap out-of-bounds write in rfbserver.c in rfbProcessFileTransferReadBuffer() allows for potential code execution (CVE-2018-15127) - LibVNC before commit 7b1ef0ffc4815cab9a96c7278394152bdc89dc4d contains heap out-of-bound write vulnerability inside structure in VNC client code that can result remote code execution(CVE-2018-20020) - LibVNC before commit ca2a5ac02fbbadd0a21fabba779c1ea69173d10b contains heap use-after-free vulnerability in server code of file transfer extension that can result remote code execution.(CVE-2018-6307) - LibVNC before commit 73cb96fec028a576a5a24417b57723b55854ad7b contains heap use-after-free vulnerability in server code of file transfer extension that can result remote code execution(CVE-2018-15126) - LibVNC before commit a83439b9fbe0f03c48eb94ed05729cb016f8b72f contains multiple heap out-of-bound write vulnerabilities in VNC client code that can result remote code execution(CVE-2018-20019) - LibVNC before 2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 contains multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC client code that allows attacker to read stack memory and can be abuse for information disclosure. Combined with another vulnerability, it can be used to leak stack memory layout and in bypassing ASLR(CVE-2018-20022) - LibVNC before commit 4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7 contains null pointer dereference in VNC client code that can result DoS.(CVE-2018-20024) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2019-02-15 plugin id 122206 published 2019-02-15 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122206 title EulerOS 2.0 SP5 : libvncserver (EulerOS-SA-2019-1033) NASL family Scientific Linux Local Security Checks NASL id SL_20190115_LIBVNCSERVER_ON_SL7_X.NASL description Security Fix(es) : - libvncserver: Heap out-of-bounds write in rfbserver.c in rfbProcessFileTransferReadBuffer() allows for potential code execution (CVE-2018-15127) last seen 2020-03-18 modified 2019-01-16 plugin id 121205 published 2019-01-16 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121205 title Scientific Linux Security Update : libvncserver on SL7.x x86_64 (20190115) NASL family Amazon Linux Local Security Checks NASL id AL2_ALAS-2019-1161.NASL description LibVNC contains heap out-of-bound write vulnerability in server code of file transfer extension that can result remote code execution (CVE-2018-15127) last seen 2020-06-01 modified 2020-06-02 plugin id 122162 published 2019-02-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122162 title Amazon Linux 2 : libvncserver (ALAS-2019-1161) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1652.NASL description A vulnerability was found by Kaspersky Lab in libvncserver, a C library to implement VNC server/client functionalities. In addition, some of the vulnerabilities addressed in DLA 1617-1 were found to have incomplete fixes, and have been addressed in this update. CVE-2018-15126 An attacker can cause denial of service or remote code execution via a heap use-after-free issue in the tightvnc-filetransfer extension. CVE-2018-20748 CVE-2018-20749 CVE-2018-20750 Some of the out of bound heap write fixes for CVE-2018-20019 and CVE-2018-15127 were incomplete. These CVEs address those issues. For Debian 8 last seen 2020-03-17 modified 2019-02-01 plugin id 121517 published 2019-02-01 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121517 title Debian DLA-1652-1 : libvncserver security update NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-0060-1.NASL description This update for LibVNCServer fixes the following issues : Security issues fixed : CVE-2018-15126: Fixed use-after-free in file transfer extension (bsc#1120114) CVE-2018-6307: Fixed use-after-free in file transfer extension server code (bsc#1120115) CVE-2018-20020: Fixed heap out-of-bound write inside structure in VNC client code (bsc#1120116) CVE-2018-15127: Fixed heap out-of-bounds write in rfbserver.c (bsc#1120117) CVE-2018-20019: Fixed multiple heap out-of-bound writes in VNC client code (bsc#1120118) CVE-2018-20023: Fixed information disclosure through improper initialization in VNC Repeater client code (bsc#1120119) CVE-2018-20022: Fixed information disclosure through improper initialization in VNC client code (bsc#1120120) CVE-2018-20024: Fixed NULL pointer dereference in VNC client code (bsc#1120121) CVE-2018-20021: Fixed infinite loop in VNC client code (bsc#1120122) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-18 modified 2019-01-11 plugin id 121094 published 2019-01-11 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121094 title SUSE SLES12 Security Update : LibVNCServer (SUSE-SU-2019:0060-1) NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0052_LIBVNCSERVER.NASL description The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has libvncserver packages installed that are affected by multiple vulnerabilities: - An issue was discovered in LibVNCServer through 0.9.11. rfbProcessClientNormalMessage() in rfbserver.c does not sanitize msg.cct.length, leading to access to uninitialized and potentially sensitive data or possibly unspecified other impact (e.g., an integer overflow) via specially crafted VNC packets. (CVE-2018-7225) - LibVNC before commit 502821828ed00b4a2c4bef90683d0fd88ce495de contains heap out-of-bound write vulnerability in server code of file transfer extension that can result remote code execution (CVE-2018-15127) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 127237 published 2019-08-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127237 title NewStart CGSL CORE 5.04 / MAIN 5.04 : libvncserver Multiple Vulnerabilities (NS-SA-2019-0052) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2019-0059.NASL description From Red Hat Security Advisory 2019:0059 : An update for libvncserver is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. LibVNCServer is a C library that enables you to implement VNC server functionality into own programs. Security Fix(es) : * libvncserver: Heap out-of-bounds write in rfbserver.c in rfbProcessFileTransferReadBuffer() allows for potential code execution (CVE-2018-15127) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-03-18 modified 2019-01-16 plugin id 121200 published 2019-01-16 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121200 title Oracle Linux 7 : libvncserver (ELSA-2019-0059) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1979.NASL description Several vulnerabilities have been identified in the VNC code of iTALC, a classroom management software. All vulnerabilities referenced below are issues that have originally been reported against Debian source package libvncserver. The italc source package in Debian ships a custom-patched version of libvncserver, thus libvncserver last seen 2020-06-01 modified 2020-06-02 plugin id 130408 published 2019-10-31 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130408 title Debian DLA-1979-1 : italc security update NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1096.NASL description According to the versions of the libvncserver package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - LibVNC before 0.9.12 contains multiple heap out-of-bounds write vulnerabilities in libvncclient/rfbproto.c. The fix for CVE-2018-20019 was incomplete.(CVE-2018-20748) - LibVNC before 0.9.12 contains a heap out-of-bounds write vulnerability in libvncserver/rfbserver.c. The fix for CVE-2018-15127 was incomplete.(CVE-2018-20749) - LibVNC through 0.9.12 contains a heap out-of-bounds write vulnerability in libvncserver/rfbserver.c. The fix for CVE-2018-15127 was incomplete.(CVE-2018-20750) - LibVNC before commit 7b1ef0ffc4815cab9a96c7278394152bdc89dc4d contains heap out-of-bound write vulnerability inside structure in VNC client code that can result remote code execution(CVE-2018-20020) - LibVNC before commit ca2a5ac02fbbadd0a21fabba779c1ea69173d10b contains heap use-after-free vulnerability in server code of file transfer extension that can result remote code execution.(CVE-2018-6307) - LibVNC before commit 73cb96fec028a576a5a24417b57723b55854ad7b contains heap use-after-free vulnerability in server code of file transfer extension that can result remote code execution(CVE-2018-15126) - LibVNC before commit a83439b9fbe0f03c48eb94ed05729cb016f8b72f contains multiple heap out-of-bound write vulnerabilities in VNC client code that can result remote code execution(CVE-2018-20019) - LibVNC before 2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 contains multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC client code that allows attacker to read stack memory and can be abuse for information disclosure. Combined with another vulnerability, it can be used to leak stack memory layout and in bypassing ASLR(CVE-2018-20022) - LibVNC before commit 4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7 contains null pointer dereference in VNC client code that can result DoS.(CVE-2018-20024) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2019-03-26 plugin id 123109 published 2019-03-26 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123109 title EulerOS 2.0 SP3 : libvncserver (EulerOS-SA-2019-1096) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1617.NASL description Kaspersky Lab discovered several vulnerabilities in libvncserver, a C library to implement VNC server/client functionalities. CVE-2018-6307 a heap use-after-free vulnerability in the server code of the file transfer extension, which can result in remote code execution. This attack appears to be exploitable via network connectivity. CVE-2018-15127 contains a heap out-of-bound write vulnerability in the server code of the file transfer extension, which can result in remote code execution. This attack appears to be exploitable via network connectivity. CVE-2018-20019 multiple heap out-of-bound write vulnerabilities in VNC client code, which can result in remote code execution. CVE-2018-20020 heap out-of-bound write vulnerability in a structure in VNC client code, which can result in remote code execution. CVE-2018-20021 CWE-835: Infinite Loop vulnerability in VNC client code. The vulnerability could allow an attacker to consume an excessive amount of resources, such as CPU and RAM. CVE-2018-20022 CWE-665: Improper Initialization weaknesses in VNC client code, which could allow an attacker to read stack memory and can be abused for information disclosure. Combined with another vulnerability, it can be used to leak stack memory layout and bypass ASLR. CVE-2018-20023 Improper Initialization vulnerability in VNC Repeater client code, which could allow an attacker to read stack memory and can be abused for information disclosure. Combined with another vulnerability, it can be used to leak stack memory layout and bypass ASLR. CVE-2018-20024 a NULL pointer dereference in VNC client code, which can result in DoS. For Debian 8 last seen 2020-03-26 modified 2018-12-27 plugin id 119877 published 2018-12-27 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119877 title Debian DLA-1617-1 : libvncserver security update
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
References
- https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18-028-libvnc-heap-out-of-bound-write/
- https://lists.debian.org/debian-lts-announce/2018/12/msg00017.html
- https://access.redhat.com/errata/RHSA-2019:0059
- https://usn.ubuntu.com/3877-1/
- https://www.debian.org/security/2019/dsa-4383
- https://lists.debian.org/debian-lts-announce/2019/10/msg00042.html
- https://usn.ubuntu.com/4547-1/
- https://usn.ubuntu.com/4587-1/