Vulnerabilities > CVE-2018-20023 - Improper Initialization vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
LibVNC before 8b06f835e259652b0ff026898014fc7297ade858 contains CWE-665: Improper Initialization vulnerability in VNC Repeater client code that allows attacker to read stack memory and can be abuse for information disclosure. Combined with another vulnerability, it can be used to leak stack memory layout and in bypassing ASLR
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 | |
| OS | 2 | |
| OS | 4 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leveraging Race Conditions This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
- Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3877-1.NASL description It was discovered that LibVNCServer incorrectly handled certain operations. A remote attacker able to connect to applications using LibVNCServer could possibly use this issue to obtain sensitive information, cause a denial of service, or execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-18 modified 2019-02-01 plugin id 121541 published 2019-02-01 reporter Ubuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121541 title Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : libvncserver vulnerabilities (USN-3877-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-3877-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(121541); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/20"); script_cve_id("CVE-2018-15126", "CVE-2018-15127", "CVE-2018-20019", "CVE-2018-20020", "CVE-2018-20021", "CVE-2018-20022", "CVE-2018-20023", "CVE-2018-20024", "CVE-2018-20748", "CVE-2018-20749", "CVE-2018-20750", "CVE-2018-6307"); script_xref(name:"USN", value:"3877-1"); script_name(english:"Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : libvncserver vulnerabilities (USN-3877-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "It was discovered that LibVNCServer incorrectly handled certain operations. A remote attacker able to connect to applications using LibVNCServer could possibly use this issue to obtain sensitive information, cause a denial of service, or execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/3877-1/" ); script_set_attribute( attribute:"solution", value: "Update the affected libvncclient1, libvncserver0 and / or libvncserver1 packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-20750"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libvncclient1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libvncserver0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libvncserver1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.10"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/12/19"); script_set_attribute(attribute:"patch_publication_date", value:"2019/01/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/01"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(14\.04|16\.04|18\.04|18\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04 / 16.04 / 18.04 / 18.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"14.04", pkgname:"libvncserver0", pkgver:"0.9.9+dfsg-1ubuntu1.4")) flag++; if (ubuntu_check(osver:"16.04", pkgname:"libvncclient1", pkgver:"0.9.10+dfsg-3ubuntu0.16.04.3")) flag++; if (ubuntu_check(osver:"16.04", pkgname:"libvncserver1", pkgver:"0.9.10+dfsg-3ubuntu0.16.04.3")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"libvncclient1", pkgver:"0.9.11+dfsg-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"libvncserver1", pkgver:"0.9.11+dfsg-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"18.10", pkgname:"libvncclient1", pkgver:"0.9.11+dfsg-1.1ubuntu0.1")) flag++; if (ubuntu_check(osver:"18.10", pkgname:"libvncserver1", pkgver:"0.9.11+dfsg-1.1ubuntu0.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libvncclient1 / libvncserver0 / libvncserver1"); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4383.NASL description Pavel Cheremushkin discovered several vulnerabilities in libvncserver, a library to implement VNC server/client functionalities, which might result in the execution of arbitrary code, denial of service or information disclosure. last seen 2020-03-17 modified 2019-02-04 plugin id 121561 published 2019-02-04 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121561 title Debian DSA-4383-1 : libvncserver - security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-4383. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(121561); script_version("1.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/20"); script_cve_id("CVE-2018-15126", "CVE-2018-15127", "CVE-2018-20019", "CVE-2018-20020", "CVE-2018-20021", "CVE-2018-20022", "CVE-2018-20023", "CVE-2018-20024", "CVE-2018-6307"); script_xref(name:"DSA", value:"4383"); script_name(english:"Debian DSA-4383-1 : libvncserver - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Pavel Cheremushkin discovered several vulnerabilities in libvncserver, a library to implement VNC server/client functionalities, which might result in the execution of arbitrary code, denial of service or information disclosure." ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916941" ); # https://security-tracker.debian.org/tracker/source-package/libvncserver script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?b930abb4" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/stretch/libvncserver" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2019/dsa-4383" ); script_set_attribute( attribute:"solution", value: "Upgrade the libvncserver packages. For the stable distribution (stretch), these problems have been fixed in version 0.9.11+dfsg-1.3~deb9u1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-20020"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libvncserver"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/12/19"); script_set_attribute(attribute:"patch_publication_date", value:"2019/02/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/04"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"9.0", prefix:"libvncclient1", reference:"0.9.11+dfsg-1.3~deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"libvncclient1-dbg", reference:"0.9.11+dfsg-1.3~deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"libvncserver-config", reference:"0.9.11+dfsg-1.3~deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"libvncserver-dev", reference:"0.9.11+dfsg-1.3~deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"libvncserver1", reference:"0.9.11+dfsg-1.3~deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"libvncserver1-dbg", reference:"0.9.11+dfsg-1.3~deb9u1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-45.NASL description This update for LibVNCServer fixes the following issues : Security issues fixed : - CVE-2018-15126: Fixed use-after-free in file transfer extension (bsc#1120114) - CVE-2018-6307: Fixed use-after-free in file transfer extension server code (bsc#1120115) - CVE-2018-20020: Fixed heap out-of-bound write inside structure in VNC client code (bsc#1120116) - CVE-2018-15127: Fixed heap out-of-bounds write in rfbserver.c (bsc#1120117) - CVE-2018-20019: Fixed multiple heap out-of-bound writes in VNC client code (bsc#1120118) - CVE-2018-20023: Fixed information disclosure through improper initialization in VNC Repeater client code (bsc#1120119) - CVE-2018-20022: Fixed information disclosure through improper initialization in VNC client code (bsc#1120120) - CVE-2018-20024: Fixed NULL pointer dereference in VNC client code (bsc#1120121) - CVE-2018-20021: Fixed infinite loop in VNC client code (bsc#1120122) This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-03-18 modified 2019-01-14 plugin id 121154 published 2019-01-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121154 title openSUSE Security Update : LibVNCServer (openSUSE-2019-45) NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-0080-1.NASL description This update for LibVNCServer fixes the following issues : Security issues fixed : CVE-2018-15126: Fixed use-after-free in file transfer extension (bsc#1120114) CVE-2018-6307: Fixed use-after-free in file transfer extension server code (bsc#1120115) CVE-2018-20020: Fixed heap out-of-bound write inside structure in VNC client code (bsc#1120116) CVE-2018-15127: Fixed heap out-of-bounds write in rfbserver.c (bsc#1120117) CVE-2018-20019: Fixed multiple heap out-of-bound writes in VNC client code (bsc#1120118) CVE-2018-20023: Fixed information disclosure through improper initialization in VNC Repeater client code (bsc#1120119) CVE-2018-20022: Fixed information disclosure through improper initialization in VNC client code (bsc#1120120) CVE-2018-20024: Fixed NULL pointer dereference in VNC client code (bsc#1120121) CVE-2018-20021: Fixed infinite loop in VNC client code (bsc#1120122) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-18 modified 2019-01-14 plugin id 121158 published 2019-01-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121158 title SUSE SLED15 / SLES15 Security Update : LibVNCServer (SUSE-SU-2019:0080-1) NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-53.NASL description This update for LibVNCServer fixes the following issues : Security issues fixed : - CVE-2018-15126: Fixed use-after-free in file transfer extension (bsc#1120114) - CVE-2018-6307: Fixed use-after-free in file transfer extension server code (bsc#1120115) - CVE-2018-20020: Fixed heap out-of-bound write inside structure in VNC client code (bsc#1120116) - CVE-2018-15127: Fixed heap out-of-bounds write in rfbserver.c (bsc#1120117) - CVE-2018-20019: Fixed multiple heap out-of-bound writes in VNC client code (bsc#1120118) - CVE-2018-20023: Fixed information disclosure through improper initialization in VNC Repeater client code (bsc#1120119) - CVE-2018-20022: Fixed information disclosure through improper initialization in VNC client code (bsc#1120120) - CVE-2018-20024: Fixed NULL pointer dereference in VNC client code (bsc#1120121) - CVE-2018-20021: Fixed infinite loop in VNC client code (bsc#1120122) This update was imported from the SUSE:SLE-15:Update update project. last seen 2020-03-18 modified 2019-01-22 plugin id 121282 published 2019-01-22 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121282 title openSUSE Security Update : LibVNCServer (openSUSE-2019-53) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201908-05.NASL description The remote host is affected by the vulnerability described in GLSA-201908-05 (LibVNCServer: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in LibVNCServer. Please review the CVE identifiers referenced below for details. Impact : Please review the referenced CVE identifiers for details. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 127563 published 2019-08-12 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127563 title GLSA-201908-05 : LibVNCServer: Multiple vulnerabilities NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-0060-1.NASL description This update for LibVNCServer fixes the following issues : Security issues fixed : CVE-2018-15126: Fixed use-after-free in file transfer extension (bsc#1120114) CVE-2018-6307: Fixed use-after-free in file transfer extension server code (bsc#1120115) CVE-2018-20020: Fixed heap out-of-bound write inside structure in VNC client code (bsc#1120116) CVE-2018-15127: Fixed heap out-of-bounds write in rfbserver.c (bsc#1120117) CVE-2018-20019: Fixed multiple heap out-of-bound writes in VNC client code (bsc#1120118) CVE-2018-20023: Fixed information disclosure through improper initialization in VNC Repeater client code (bsc#1120119) CVE-2018-20022: Fixed information disclosure through improper initialization in VNC client code (bsc#1120120) CVE-2018-20024: Fixed NULL pointer dereference in VNC client code (bsc#1120121) CVE-2018-20021: Fixed infinite loop in VNC client code (bsc#1120122) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-18 modified 2019-01-11 plugin id 121094 published 2019-01-11 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121094 title SUSE SLES12 Security Update : LibVNCServer (SUSE-SU-2019:0060-1) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1979.NASL description Several vulnerabilities have been identified in the VNC code of iTALC, a classroom management software. All vulnerabilities referenced below are issues that have originally been reported against Debian source package libvncserver. The italc source package in Debian ships a custom-patched version of libvncserver, thus libvncserver last seen 2020-06-01 modified 2020-06-02 plugin id 130408 published 2019-10-31 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130408 title Debian DLA-1979-1 : italc security update NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1617.NASL description Kaspersky Lab discovered several vulnerabilities in libvncserver, a C library to implement VNC server/client functionalities. CVE-2018-6307 a heap use-after-free vulnerability in the server code of the file transfer extension, which can result in remote code execution. This attack appears to be exploitable via network connectivity. CVE-2018-15127 contains a heap out-of-bound write vulnerability in the server code of the file transfer extension, which can result in remote code execution. This attack appears to be exploitable via network connectivity. CVE-2018-20019 multiple heap out-of-bound write vulnerabilities in VNC client code, which can result in remote code execution. CVE-2018-20020 heap out-of-bound write vulnerability in a structure in VNC client code, which can result in remote code execution. CVE-2018-20021 CWE-835: Infinite Loop vulnerability in VNC client code. The vulnerability could allow an attacker to consume an excessive amount of resources, such as CPU and RAM. CVE-2018-20022 CWE-665: Improper Initialization weaknesses in VNC client code, which could allow an attacker to read stack memory and can be abused for information disclosure. Combined with another vulnerability, it can be used to leak stack memory layout and bypass ASLR. CVE-2018-20023 Improper Initialization vulnerability in VNC Repeater client code, which could allow an attacker to read stack memory and can be abused for information disclosure. Combined with another vulnerability, it can be used to leak stack memory layout and bypass ASLR. CVE-2018-20024 a NULL pointer dereference in VNC client code, which can result in DoS. For Debian 8 last seen 2020-03-26 modified 2018-12-27 plugin id 119877 published 2018-12-27 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119877 title Debian DLA-1617-1 : libvncserver security update
References
- https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18-033-libvnc-memory-leak/
- https://lists.debian.org/debian-lts-announce/2018/12/msg00017.html
- https://lists.debian.org/debian-lts-announce/2019/10/msg00042.html
- https://security.gentoo.org/glsa/201908-05
- https://usn.ubuntu.com/3877-1/
- https://usn.ubuntu.com/4547-1/
- https://usn.ubuntu.com/4587-1/
- https://www.debian.org/security/2019/dsa-4383