Vulnerabilities > CVE-2018-20022 - Improper Initialization vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
LibVNC before 2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 contains multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC client code that allows attacker to read stack memory and can be abuse for information disclosure. Combined with another vulnerability, it can be used to leak stack memory layout and in bypassing ASLR
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 | |
OS | 2 | |
OS | 4 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leveraging Race Conditions This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
- Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3877-1.NASL description It was discovered that LibVNCServer incorrectly handled certain operations. A remote attacker able to connect to applications using LibVNCServer could possibly use this issue to obtain sensitive information, cause a denial of service, or execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-18 modified 2019-02-01 plugin id 121541 published 2019-02-01 reporter Ubuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121541 title Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : libvncserver vulnerabilities (USN-3877-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-3877-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(121541); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/20"); script_cve_id("CVE-2018-15126", "CVE-2018-15127", "CVE-2018-20019", "CVE-2018-20020", "CVE-2018-20021", "CVE-2018-20022", "CVE-2018-20023", "CVE-2018-20024", "CVE-2018-20748", "CVE-2018-20749", "CVE-2018-20750", "CVE-2018-6307"); script_xref(name:"USN", value:"3877-1"); script_name(english:"Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : libvncserver vulnerabilities (USN-3877-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "It was discovered that LibVNCServer incorrectly handled certain operations. A remote attacker able to connect to applications using LibVNCServer could possibly use this issue to obtain sensitive information, cause a denial of service, or execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/3877-1/" ); script_set_attribute( attribute:"solution", value: "Update the affected libvncclient1, libvncserver0 and / or libvncserver1 packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-20750"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libvncclient1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libvncserver0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libvncserver1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.10"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/12/19"); script_set_attribute(attribute:"patch_publication_date", value:"2019/01/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/01"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(14\.04|16\.04|18\.04|18\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04 / 16.04 / 18.04 / 18.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"14.04", pkgname:"libvncserver0", pkgver:"0.9.9+dfsg-1ubuntu1.4")) flag++; if (ubuntu_check(osver:"16.04", pkgname:"libvncclient1", pkgver:"0.9.10+dfsg-3ubuntu0.16.04.3")) flag++; if (ubuntu_check(osver:"16.04", pkgname:"libvncserver1", pkgver:"0.9.10+dfsg-3ubuntu0.16.04.3")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"libvncclient1", pkgver:"0.9.11+dfsg-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"libvncserver1", pkgver:"0.9.11+dfsg-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"18.10", pkgname:"libvncclient1", pkgver:"0.9.11+dfsg-1.1ubuntu0.1")) flag++; if (ubuntu_check(osver:"18.10", pkgname:"libvncserver1", pkgver:"0.9.11+dfsg-1.1ubuntu0.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libvncclient1 / libvncserver0 / libvncserver1"); }
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4383.NASL description Pavel Cheremushkin discovered several vulnerabilities in libvncserver, a library to implement VNC server/client functionalities, which might result in the execution of arbitrary code, denial of service or information disclosure. last seen 2020-03-17 modified 2019-02-04 plugin id 121561 published 2019-02-04 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121561 title Debian DSA-4383-1 : libvncserver - security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-4383. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(121561); script_version("1.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/20"); script_cve_id("CVE-2018-15126", "CVE-2018-15127", "CVE-2018-20019", "CVE-2018-20020", "CVE-2018-20021", "CVE-2018-20022", "CVE-2018-20023", "CVE-2018-20024", "CVE-2018-6307"); script_xref(name:"DSA", value:"4383"); script_name(english:"Debian DSA-4383-1 : libvncserver - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Pavel Cheremushkin discovered several vulnerabilities in libvncserver, a library to implement VNC server/client functionalities, which might result in the execution of arbitrary code, denial of service or information disclosure." ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916941" ); # https://security-tracker.debian.org/tracker/source-package/libvncserver script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?b930abb4" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/stretch/libvncserver" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2019/dsa-4383" ); script_set_attribute( attribute:"solution", value: "Upgrade the libvncserver packages. For the stable distribution (stretch), these problems have been fixed in version 0.9.11+dfsg-1.3~deb9u1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-20020"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libvncserver"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/12/19"); script_set_attribute(attribute:"patch_publication_date", value:"2019/02/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/04"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"9.0", prefix:"libvncclient1", reference:"0.9.11+dfsg-1.3~deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"libvncclient1-dbg", reference:"0.9.11+dfsg-1.3~deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"libvncserver-config", reference:"0.9.11+dfsg-1.3~deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"libvncserver-dev", reference:"0.9.11+dfsg-1.3~deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"libvncserver1", reference:"0.9.11+dfsg-1.3~deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"libvncserver1-dbg", reference:"0.9.11+dfsg-1.3~deb9u1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Debian Local Security Checks NASL id DEBIAN_DLA-2016.NASL description Several vulnerabilities have been identified in the VNC code of ssvnc, an encryption-capable VNC client.. The vulnerabilities referenced below are issues that have originally been reported against Debian source package libvncserver (which also ships the libvncclient shared library). The ssvnc source package in Debian ships a custom-patched, stripped down and outdated variant of libvncclient, thus some of libvncclient last seen 2020-06-01 modified 2020-06-02 plugin id 131434 published 2019-12-03 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131434 title Debian DLA-2016-1 : ssvnc security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-2016-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(131434); script_version("1.2"); script_cvs_date("Date: 2019/12/09"); script_cve_id("CVE-2018-20020", "CVE-2018-20021", "CVE-2018-20022", "CVE-2018-20024"); script_name(english:"Debian DLA-2016-1 : ssvnc security update"); script_summary(english:"Checks dpkg output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities have been identified in the VNC code of ssvnc, an encryption-capable VNC client.. The vulnerabilities referenced below are issues that have originally been reported against Debian source package libvncserver (which also ships the libvncclient shared library). The ssvnc source package in Debian ships a custom-patched, stripped down and outdated variant of libvncclient, thus some of libvncclient's security fixes required porting over. CVE-2018-20020 LibVNC contained heap out-of-bound write vulnerability inside structure in VNC client code that can result remote code execution CVE-2018-20021 LibVNC contained a CWE-835: Infinite loop vulnerability in VNC client code. Vulnerability allows attacker to consume excessive amount of resources like CPU and RAM CVE-2018-20022 LibVNC contained multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC client code that allowed attackers to read stack memory and could be abused for information disclosure. Combined with another vulnerability, it could be used to leak stack memory layout and in bypassing ASLR. CVE-2018-20024 LibVNC contained NULL pointer dereference in VNC client code that could result DoS. For Debian 8 'Jessie', these problems have been fixed in version 1.0.29-2+deb8u1. We recommend that you upgrade your ssvnc packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2019/11/msg00033.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/jessie/ssvnc" ); script_set_attribute( attribute:"solution", value:"Upgrade the affected ssvnc package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-20020"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:ssvnc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/12/19"); script_set_attribute(attribute:"patch_publication_date", value:"2019/11/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/03"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"8.0", prefix:"ssvnc", reference:"1.0.29-2+deb8u1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-13927-1.NASL description This update for LibVNCServer fixes the following issues : Security issues fixed : CVE-2018-15126: Fixed use-after-free in file transfer extension (bsc#1120114) CVE-2018-6307: Fixed use-after-free in file transfer extension server code (bsc#1120115) CVE-2018-20020: Fixed heap out-of-bound write inside structure in VNC client code (bsc#1120116) CVE-2018-15127: Fixed heap out-of-bounds write in rfbserver.c (bsc#1120117) CVE-2018-20019: Fixed multiple heap out-of-bound writes in VNC client code (bsc#1120118) CVE-2018-20022: Fixed information disclosure through improper initialization in VNC client code (bsc#1120120) CVE-2018-20024: Fixed NULL pointer dereference in VNC client code (bsc#1120121) CVE-2018-20021: Fixed infinite loop in VNC client code (bsc#1120122) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-18 modified 2019-01-14 plugin id 121160 published 2019-01-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121160 title SUSE SLES11 Security Update : LibVNCServer (SUSE-SU-2019:13927-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2019:13927-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(121160); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/24"); script_cve_id("CVE-2018-15126", "CVE-2018-15127", "CVE-2018-20019", "CVE-2018-20020", "CVE-2018-20021", "CVE-2018-20022", "CVE-2018-20024", "CVE-2018-6307"); script_name(english:"SUSE SLES11 Security Update : LibVNCServer (SUSE-SU-2019:13927-1)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for LibVNCServer fixes the following issues : Security issues fixed : CVE-2018-15126: Fixed use-after-free in file transfer extension (bsc#1120114) CVE-2018-6307: Fixed use-after-free in file transfer extension server code (bsc#1120115) CVE-2018-20020: Fixed heap out-of-bound write inside structure in VNC client code (bsc#1120116) CVE-2018-15127: Fixed heap out-of-bounds write in rfbserver.c (bsc#1120117) CVE-2018-20019: Fixed multiple heap out-of-bound writes in VNC client code (bsc#1120118) CVE-2018-20022: Fixed information disclosure through improper initialization in VNC client code (bsc#1120120) CVE-2018-20024: Fixed NULL pointer dereference in VNC client code (bsc#1120121) CVE-2018-20021: Fixed infinite loop in VNC client code (bsc#1120122) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1120114" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1120115" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1120116" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1120117" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1120118" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1120120" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1120121" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1120122" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-15126/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-15127/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-20019/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-20020/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-20021/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-20022/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-20024/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-6307/" ); # https://www.suse.com/support/update/announcement/2019/suse-su-201913927-1.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?b98becce" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Software Development Kit 11-SP4:zypper in -t patch sdksp4-LibVNCServer-13927=1 SUSE Linux Enterprise Server 11-SP4:zypper in -t patch slessp4-LibVNCServer-13927=1 SUSE Linux Enterprise Server 11-SP3-LTSS:zypper in -t patch slessp3-LibVNCServer-13927=1 SUSE Linux Enterprise Point of Sale 11-SP3:zypper in -t patch sleposp3-LibVNCServer-13927=1 SUSE Linux Enterprise Debuginfo 11-SP4:zypper in -t patch dbgsp4-LibVNCServer-13927=1 SUSE Linux Enterprise Debuginfo 11-SP3:zypper in -t patch dbgsp3-LibVNCServer-13927=1" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-20020"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:LibVNCServer"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/12/19"); script_set_attribute(attribute:"patch_publication_date", value:"2019/01/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/14"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES11", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES11" && (! preg(pattern:"^(3|4)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP3/4", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES11", sp:"4", reference:"LibVNCServer-0.9.1-160.6.1")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"LibVNCServer-0.9.1-160.6.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "LibVNCServer"); }
NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-45.NASL description This update for LibVNCServer fixes the following issues : Security issues fixed : - CVE-2018-15126: Fixed use-after-free in file transfer extension (bsc#1120114) - CVE-2018-6307: Fixed use-after-free in file transfer extension server code (bsc#1120115) - CVE-2018-20020: Fixed heap out-of-bound write inside structure in VNC client code (bsc#1120116) - CVE-2018-15127: Fixed heap out-of-bounds write in rfbserver.c (bsc#1120117) - CVE-2018-20019: Fixed multiple heap out-of-bound writes in VNC client code (bsc#1120118) - CVE-2018-20023: Fixed information disclosure through improper initialization in VNC Repeater client code (bsc#1120119) - CVE-2018-20022: Fixed information disclosure through improper initialization in VNC client code (bsc#1120120) - CVE-2018-20024: Fixed NULL pointer dereference in VNC client code (bsc#1120121) - CVE-2018-20021: Fixed infinite loop in VNC client code (bsc#1120122) This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-03-18 modified 2019-01-14 plugin id 121154 published 2019-01-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121154 title openSUSE Security Update : LibVNCServer (openSUSE-2019-45) NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-0080-1.NASL description This update for LibVNCServer fixes the following issues : Security issues fixed : CVE-2018-15126: Fixed use-after-free in file transfer extension (bsc#1120114) CVE-2018-6307: Fixed use-after-free in file transfer extension server code (bsc#1120115) CVE-2018-20020: Fixed heap out-of-bound write inside structure in VNC client code (bsc#1120116) CVE-2018-15127: Fixed heap out-of-bounds write in rfbserver.c (bsc#1120117) CVE-2018-20019: Fixed multiple heap out-of-bound writes in VNC client code (bsc#1120118) CVE-2018-20023: Fixed information disclosure through improper initialization in VNC Repeater client code (bsc#1120119) CVE-2018-20022: Fixed information disclosure through improper initialization in VNC client code (bsc#1120120) CVE-2018-20024: Fixed NULL pointer dereference in VNC client code (bsc#1120121) CVE-2018-20021: Fixed infinite loop in VNC client code (bsc#1120122) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-18 modified 2019-01-14 plugin id 121158 published 2019-01-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121158 title SUSE SLED15 / SLES15 Security Update : LibVNCServer (SUSE-SU-2019:0080-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1051.NASL description According to the versions of the libvncserver package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - libvncserver: Heap out-of-bounds write in rfbserver.c in rfbProcessFileTransferReadBuffer() allows for potential code execution (CVE-2018-15127) - LibVNC before commit 7b1ef0ffc4815cab9a96c7278394152bdc89dc4d contains heap out-of-bound write vulnerability inside structure in VNC client code that can result remote code execution(CVE-2018-20020) - LibVNC before commit ca2a5ac02fbbadd0a21fabba779c1ea69173d10b contains heap use-after-free vulnerability in server code of file transfer extension that can result remote code execution.(CVE-2018-6307) - LibVNC before commit 73cb96fec028a576a5a24417b57723b55854ad7b contains heap use-after-free vulnerability in server code of file transfer extension that can result remote code execution(CVE-2018-15126) - LibVNC before commit a83439b9fbe0f03c48eb94ed05729cb016f8b72f contains multiple heap out-of-bound write vulnerabilities in VNC client code that can result remote code execution(CVE-2018-20019) - LibVNC before 2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 contains multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC client code that allows attacker to read stack memory and can be abuse for information disclosure. Combined with another vulnerability, it can be used to leak stack memory layout and in bypassing ASLR(CVE-2018-20022) - LibVNC before commit 4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7 contains null pointer dereference in VNC client code that can result DoS.(CVE-2018-20024) - LibVNC before 0.9.12 contains multiple heap out-of-bounds write vulnerabilities in libvncclient/rfbproto.c. The fix for CVE-2018-20019 was incomplete.(CVE-2018-20748) - LibVNC before 0.9.12 contains a heap out-of-bounds write vulnerability in libvncserver/rfbserver.c. The fix for CVE-2018-15127 was incomplete.(CVE-2018-20749) - LibVNC through 0.9.12 contains a heap out-of-bounds write vulnerability in libvncserver/rfbserver.c. The fix for CVE-2018-15127 was incomplete.(CVE-2018-20750) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2019-02-22 plugin id 122378 published 2019-02-22 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122378 title EulerOS 2.0 SP2 : libvncserver (EulerOS-SA-2019-1051) NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-53.NASL description This update for LibVNCServer fixes the following issues : Security issues fixed : - CVE-2018-15126: Fixed use-after-free in file transfer extension (bsc#1120114) - CVE-2018-6307: Fixed use-after-free in file transfer extension server code (bsc#1120115) - CVE-2018-20020: Fixed heap out-of-bound write inside structure in VNC client code (bsc#1120116) - CVE-2018-15127: Fixed heap out-of-bounds write in rfbserver.c (bsc#1120117) - CVE-2018-20019: Fixed multiple heap out-of-bound writes in VNC client code (bsc#1120118) - CVE-2018-20023: Fixed information disclosure through improper initialization in VNC Repeater client code (bsc#1120119) - CVE-2018-20022: Fixed information disclosure through improper initialization in VNC client code (bsc#1120120) - CVE-2018-20024: Fixed NULL pointer dereference in VNC client code (bsc#1120121) - CVE-2018-20021: Fixed infinite loop in VNC client code (bsc#1120122) This update was imported from the SUSE:SLE-15:Update update project. last seen 2020-03-18 modified 2019-01-22 plugin id 121282 published 2019-01-22 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121282 title openSUSE Security Update : LibVNCServer (openSUSE-2019-53) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201908-05.NASL description The remote host is affected by the vulnerability described in GLSA-201908-05 (LibVNCServer: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in LibVNCServer. Please review the CVE identifiers referenced below for details. Impact : Please review the referenced CVE identifiers for details. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 127563 published 2019-08-12 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127563 title GLSA-201908-05 : LibVNCServer: Multiple vulnerabilities NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1033.NASL description According to the versions of the libvncserver package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - libvncserver: Heap out-of-bounds write in rfbserver.c in rfbProcessFileTransferReadBuffer() allows for potential code execution (CVE-2018-15127) - LibVNC before commit 7b1ef0ffc4815cab9a96c7278394152bdc89dc4d contains heap out-of-bound write vulnerability inside structure in VNC client code that can result remote code execution(CVE-2018-20020) - LibVNC before commit ca2a5ac02fbbadd0a21fabba779c1ea69173d10b contains heap use-after-free vulnerability in server code of file transfer extension that can result remote code execution.(CVE-2018-6307) - LibVNC before commit 73cb96fec028a576a5a24417b57723b55854ad7b contains heap use-after-free vulnerability in server code of file transfer extension that can result remote code execution(CVE-2018-15126) - LibVNC before commit a83439b9fbe0f03c48eb94ed05729cb016f8b72f contains multiple heap out-of-bound write vulnerabilities in VNC client code that can result remote code execution(CVE-2018-20019) - LibVNC before 2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 contains multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC client code that allows attacker to read stack memory and can be abuse for information disclosure. Combined with another vulnerability, it can be used to leak stack memory layout and in bypassing ASLR(CVE-2018-20022) - LibVNC before commit 4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7 contains null pointer dereference in VNC client code that can result DoS.(CVE-2018-20024) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2019-02-15 plugin id 122206 published 2019-02-15 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122206 title EulerOS 2.0 SP5 : libvncserver (EulerOS-SA-2019-1033) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-2045.NASL description Several vulnerabilities have recently been discovered in TightVNC 1.x, an X11 based VNC server/viewer application for Windows and Unix. CVE-2014-6053 The rfbProcessClientNormalMessage function in rfbserver.c in TightVNC server did not properly handle attempts to send a large amount of ClientCutText data, which allowed remote attackers to cause a denial of service (memory consumption or daemon crash) via a crafted message that was processed by using a single unchecked malloc. CVE-2018-7225 rfbProcessClientNormalMessage() in rfbserver.c did not sanitize msg.cct.length, leading to access to uninitialized and potentially sensitive data or possibly unspecified other impact (e.g., an integer overflow) via specially crafted VNC packets. CVE-2019-8287 TightVNC code contained global buffer overflow in HandleCoRREBBP macro function, which could potentially have result in code execution. This attack appeared to be exploitable via network connectivity. (aka CVE-2018-20020/libvncserver) CVE-2018-20021 TightVNC in vncviewer/rfbproto.c contained a CWE-835: Infinite loop vulnerability. The vulnerability allowed an attacker to consume an excessive amount of resources like CPU and RAM. CVE-2018-20022 TightVNC last seen 2020-06-01 modified 2020-06-02 plugin id 132345 published 2019-12-23 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132345 title Debian DLA-2045-1 : tightvnc security update NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-0060-1.NASL description This update for LibVNCServer fixes the following issues : Security issues fixed : CVE-2018-15126: Fixed use-after-free in file transfer extension (bsc#1120114) CVE-2018-6307: Fixed use-after-free in file transfer extension server code (bsc#1120115) CVE-2018-20020: Fixed heap out-of-bound write inside structure in VNC client code (bsc#1120116) CVE-2018-15127: Fixed heap out-of-bounds write in rfbserver.c (bsc#1120117) CVE-2018-20019: Fixed multiple heap out-of-bound writes in VNC client code (bsc#1120118) CVE-2018-20023: Fixed information disclosure through improper initialization in VNC Repeater client code (bsc#1120119) CVE-2018-20022: Fixed information disclosure through improper initialization in VNC client code (bsc#1120120) CVE-2018-20024: Fixed NULL pointer dereference in VNC client code (bsc#1120121) CVE-2018-20021: Fixed infinite loop in VNC client code (bsc#1120122) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-18 modified 2019-01-11 plugin id 121094 published 2019-01-11 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121094 title SUSE SLES12 Security Update : LibVNCServer (SUSE-SU-2019:0060-1) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1979.NASL description Several vulnerabilities have been identified in the VNC code of iTALC, a classroom management software. All vulnerabilities referenced below are issues that have originally been reported against Debian source package libvncserver. The italc source package in Debian ships a custom-patched version of libvncserver, thus libvncserver last seen 2020-06-01 modified 2020-06-02 plugin id 130408 published 2019-10-31 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130408 title Debian DLA-1979-1 : italc security update NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1096.NASL description According to the versions of the libvncserver package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - LibVNC before 0.9.12 contains multiple heap out-of-bounds write vulnerabilities in libvncclient/rfbproto.c. The fix for CVE-2018-20019 was incomplete.(CVE-2018-20748) - LibVNC before 0.9.12 contains a heap out-of-bounds write vulnerability in libvncserver/rfbserver.c. The fix for CVE-2018-15127 was incomplete.(CVE-2018-20749) - LibVNC through 0.9.12 contains a heap out-of-bounds write vulnerability in libvncserver/rfbserver.c. The fix for CVE-2018-15127 was incomplete.(CVE-2018-20750) - LibVNC before commit 7b1ef0ffc4815cab9a96c7278394152bdc89dc4d contains heap out-of-bound write vulnerability inside structure in VNC client code that can result remote code execution(CVE-2018-20020) - LibVNC before commit ca2a5ac02fbbadd0a21fabba779c1ea69173d10b contains heap use-after-free vulnerability in server code of file transfer extension that can result remote code execution.(CVE-2018-6307) - LibVNC before commit 73cb96fec028a576a5a24417b57723b55854ad7b contains heap use-after-free vulnerability in server code of file transfer extension that can result remote code execution(CVE-2018-15126) - LibVNC before commit a83439b9fbe0f03c48eb94ed05729cb016f8b72f contains multiple heap out-of-bound write vulnerabilities in VNC client code that can result remote code execution(CVE-2018-20019) - LibVNC before 2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 contains multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC client code that allows attacker to read stack memory and can be abuse for information disclosure. Combined with another vulnerability, it can be used to leak stack memory layout and in bypassing ASLR(CVE-2018-20022) - LibVNC before commit 4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7 contains null pointer dereference in VNC client code that can result DoS.(CVE-2018-20024) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2019-03-26 plugin id 123109 published 2019-03-26 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123109 title EulerOS 2.0 SP3 : libvncserver (EulerOS-SA-2019-1096) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1617.NASL description Kaspersky Lab discovered several vulnerabilities in libvncserver, a C library to implement VNC server/client functionalities. CVE-2018-6307 a heap use-after-free vulnerability in the server code of the file transfer extension, which can result in remote code execution. This attack appears to be exploitable via network connectivity. CVE-2018-15127 contains a heap out-of-bound write vulnerability in the server code of the file transfer extension, which can result in remote code execution. This attack appears to be exploitable via network connectivity. CVE-2018-20019 multiple heap out-of-bound write vulnerabilities in VNC client code, which can result in remote code execution. CVE-2018-20020 heap out-of-bound write vulnerability in a structure in VNC client code, which can result in remote code execution. CVE-2018-20021 CWE-835: Infinite Loop vulnerability in VNC client code. The vulnerability could allow an attacker to consume an excessive amount of resources, such as CPU and RAM. CVE-2018-20022 CWE-665: Improper Initialization weaknesses in VNC client code, which could allow an attacker to read stack memory and can be abused for information disclosure. Combined with another vulnerability, it can be used to leak stack memory layout and bypass ASLR. CVE-2018-20023 Improper Initialization vulnerability in VNC Repeater client code, which could allow an attacker to read stack memory and can be abused for information disclosure. Combined with another vulnerability, it can be used to leak stack memory layout and bypass ASLR. CVE-2018-20024 a NULL pointer dereference in VNC client code, which can result in DoS. For Debian 8 last seen 2020-03-26 modified 2018-12-27 plugin id 119877 published 2018-12-27 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119877 title Debian DLA-1617-1 : libvncserver security update
References
- https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18-032-libvnc-multiple-memory-leaks/
- https://lists.debian.org/debian-lts-announce/2018/12/msg00017.html
- https://usn.ubuntu.com/3877-1/
- https://www.debian.org/security/2019/dsa-4383
- https://security.gentoo.org/glsa/201908-05
- https://lists.debian.org/debian-lts-announce/2019/10/msg00042.html
- https://lists.debian.org/debian-lts-announce/2019/11/msg00033.html
- https://lists.debian.org/debian-lts-announce/2019/12/msg00028.html
- https://security.gentoo.org/glsa/202006-06
- https://usn.ubuntu.com/4547-1/
- https://usn.ubuntu.com/4547-2/
- https://usn.ubuntu.com/4587-1/