Vulnerabilities > CVE-2018-20748 - Out-of-bounds Write vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
LibVNC before 0.9.12 contains multiple heap out-of-bounds write vulnerabilities in libvncclient/rfbproto.c. The fix for CVE-2018-20019 was incomplete.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 | |
OS | 1 | |
OS | 4 | |
OS | 6 | |
Hardware | 6 |
Common Weakness Enumeration (CWE)
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-13952-1.NASL description This update for LibVNCServer fixes the following issues : Security issues fixed : CVE-2018-20749: Fixed a heap out of bounds write vulnerability in rfbserver.c (bsc#1123828) CVE-2018-20750: Fixed a heap out of bounds write vulnerability in rfbserver.c (bsc#1123832) CVE-2018-20748: Fixed multiple heap out-of-bound writes in VNC client code (bsc#1123823) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 122151 published 2019-02-13 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122151 title SUSE SLES11 Security Update : LibVNCServer (SUSE-SU-2019:13952-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-0313-1.NASL description This update for LibVNCServer fixes the following issues : Security issues fixed : CVE-2018-20749: Fixed a heap out of bounds write vulnerability in rfbserver.c (bsc#1123828) CVE-2018-20750: Fixed a heap out of bounds write vulnerability in rfbserver.c (bsc#1123832) CVE-2018-20748: Fixed multiple heap out-of-bound writes in VNC client code (bsc#1123823) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 122092 published 2019-02-11 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122092 title SUSE SLES12 Security Update : LibVNCServer (SUSE-SU-2019:0313-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3877-1.NASL description It was discovered that LibVNCServer incorrectly handled certain operations. A remote attacker able to connect to applications using LibVNCServer could possibly use this issue to obtain sensitive information, cause a denial of service, or execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-18 modified 2019-02-01 plugin id 121541 published 2019-02-01 reporter Ubuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121541 title Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : libvncserver vulnerabilities (USN-3877-1) NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-196.NASL description This update for LibVNCServer fixes the following issues : Security issues fixed : - CVE-2018-20749: Fixed a heap out of bounds write vulnerability in rfbserver.c (bsc#1123828) - CVE-2018-20750: Fixed a heap out of bounds write vulnerability in rfbserver.c (bsc#1123832) - CVE-2018-20748: Fixed multiple heap out-of-bound writes in VNC client code (bsc#1123823) This update was imported from the SUSE:SLE-15:Update update project. last seen 2020-06-01 modified 2020-06-02 plugin id 122296 published 2019-02-19 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122296 title openSUSE Security Update : LibVNCServer (openSUSE-2019-196) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1051.NASL description According to the versions of the libvncserver package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - libvncserver: Heap out-of-bounds write in rfbserver.c in rfbProcessFileTransferReadBuffer() allows for potential code execution (CVE-2018-15127) - LibVNC before commit 7b1ef0ffc4815cab9a96c7278394152bdc89dc4d contains heap out-of-bound write vulnerability inside structure in VNC client code that can result remote code execution(CVE-2018-20020) - LibVNC before commit ca2a5ac02fbbadd0a21fabba779c1ea69173d10b contains heap use-after-free vulnerability in server code of file transfer extension that can result remote code execution.(CVE-2018-6307) - LibVNC before commit 73cb96fec028a576a5a24417b57723b55854ad7b contains heap use-after-free vulnerability in server code of file transfer extension that can result remote code execution(CVE-2018-15126) - LibVNC before commit a83439b9fbe0f03c48eb94ed05729cb016f8b72f contains multiple heap out-of-bound write vulnerabilities in VNC client code that can result remote code execution(CVE-2018-20019) - LibVNC before 2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 contains multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC client code that allows attacker to read stack memory and can be abuse for information disclosure. Combined with another vulnerability, it can be used to leak stack memory layout and in bypassing ASLR(CVE-2018-20022) - LibVNC before commit 4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7 contains null pointer dereference in VNC client code that can result DoS.(CVE-2018-20024) - LibVNC before 0.9.12 contains multiple heap out-of-bounds write vulnerabilities in libvncclient/rfbproto.c. The fix for CVE-2018-20019 was incomplete.(CVE-2018-20748) - LibVNC before 0.9.12 contains a heap out-of-bounds write vulnerability in libvncserver/rfbserver.c. The fix for CVE-2018-15127 was incomplete.(CVE-2018-20749) - LibVNC through 0.9.12 contains a heap out-of-bounds write vulnerability in libvncserver/rfbserver.c. The fix for CVE-2018-15127 was incomplete.(CVE-2018-20750) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2019-02-22 plugin id 122378 published 2019-02-22 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122378 title EulerOS 2.0 SP2 : libvncserver (EulerOS-SA-2019-1051) NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-200.NASL description This update for LibVNCServer fixes the following issues: 	 Security issues fixed : - CVE-2018-20749: Fixed a heap out of bounds write vulnerability in rfbserver.c (bsc#1123828) - CVE-2018-20750: Fixed a heap out of bounds write vulnerability in rfbserver.c (bsc#1123832) - CVE-2018-20748: Fixed multiple heap out-of-bound writes in VNC client code (bsc#1123823) This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-06-01 modified 2020-06-02 plugin id 122300 published 2019-02-19 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122300 title openSUSE Security Update : LibVNCServer (openSUSE-2019-200) NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-0283-1.NASL description This update for LibVNCServer fixes the following issues : Security issues fixed : CVE-2018-20749: Fixed a heap out of bounds write vulnerability in rfbserver.c (bsc#1123828) CVE-2018-20750: Fixed a heap out of bounds write vulnerability in rfbserver.c (bsc#1123832) CVE-2018-20748: Fixed multiple heap out-of-bound writes in VNC client code (bsc#1123823) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 122047 published 2019-02-08 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122047 title SUSE SLED15 / SLES15 Security Update : LibVNCServer (SUSE-SU-2019:0283-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1068.NASL description According to the versions of the libvncserver package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - LibVNC before 0.9.12 contains multiple heap out-of-bounds write vulnerabilities in libvncclient/rfbproto.c. The fix for CVE-2018-20019 was incomplete.(CVE-2018-20748) - LibVNC before 0.9.12 contains a heap out-of-bounds write vulnerability in libvncserver/rfbserver.c. The fix for CVE-2018-15127 was incomplete.(CVE-2018-20749) - LibVNC through 0.9.12 contains a heap out-of-bounds write vulnerability in libvncserver/rfbserver.c. The fix for CVE-2018-15127 was incomplete.(CVE-2018-20750) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2019-03-08 plugin id 122691 published 2019-03-08 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122691 title EulerOS 2.0 SP5 : libvncserver (EulerOS-SA-2019-1068) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-2045.NASL description Several vulnerabilities have recently been discovered in TightVNC 1.x, an X11 based VNC server/viewer application for Windows and Unix. CVE-2014-6053 The rfbProcessClientNormalMessage function in rfbserver.c in TightVNC server did not properly handle attempts to send a large amount of ClientCutText data, which allowed remote attackers to cause a denial of service (memory consumption or daemon crash) via a crafted message that was processed by using a single unchecked malloc. CVE-2018-7225 rfbProcessClientNormalMessage() in rfbserver.c did not sanitize msg.cct.length, leading to access to uninitialized and potentially sensitive data or possibly unspecified other impact (e.g., an integer overflow) via specially crafted VNC packets. CVE-2019-8287 TightVNC code contained global buffer overflow in HandleCoRREBBP macro function, which could potentially have result in code execution. This attack appeared to be exploitable via network connectivity. (aka CVE-2018-20020/libvncserver) CVE-2018-20021 TightVNC in vncviewer/rfbproto.c contained a CWE-835: Infinite loop vulnerability. The vulnerability allowed an attacker to consume an excessive amount of resources like CPU and RAM. CVE-2018-20022 TightVNC last seen 2020-06-01 modified 2020-06-02 plugin id 132345 published 2019-12-23 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132345 title Debian DLA-2045-1 : tightvnc security update NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1652.NASL description A vulnerability was found by Kaspersky Lab in libvncserver, a C library to implement VNC server/client functionalities. In addition, some of the vulnerabilities addressed in DLA 1617-1 were found to have incomplete fixes, and have been addressed in this update. CVE-2018-15126 An attacker can cause denial of service or remote code execution via a heap use-after-free issue in the tightvnc-filetransfer extension. CVE-2018-20748 CVE-2018-20749 CVE-2018-20750 Some of the out of bound heap write fixes for CVE-2018-20019 and CVE-2018-15127 were incomplete. These CVEs address those issues. For Debian 8 last seen 2020-03-17 modified 2019-02-01 plugin id 121517 published 2019-02-01 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121517 title Debian DLA-1652-1 : libvncserver security update NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1979.NASL description Several vulnerabilities have been identified in the VNC code of iTALC, a classroom management software. All vulnerabilities referenced below are issues that have originally been reported against Debian source package libvncserver. The italc source package in Debian ships a custom-patched version of libvncserver, thus libvncserver last seen 2020-06-01 modified 2020-06-02 plugin id 130408 published 2019-10-31 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130408 title Debian DLA-1979-1 : italc security update NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1096.NASL description According to the versions of the libvncserver package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - LibVNC before 0.9.12 contains multiple heap out-of-bounds write vulnerabilities in libvncclient/rfbproto.c. The fix for CVE-2018-20019 was incomplete.(CVE-2018-20748) - LibVNC before 0.9.12 contains a heap out-of-bounds write vulnerability in libvncserver/rfbserver.c. The fix for CVE-2018-15127 was incomplete.(CVE-2018-20749) - LibVNC through 0.9.12 contains a heap out-of-bounds write vulnerability in libvncserver/rfbserver.c. The fix for CVE-2018-15127 was incomplete.(CVE-2018-20750) - LibVNC before commit 7b1ef0ffc4815cab9a96c7278394152bdc89dc4d contains heap out-of-bound write vulnerability inside structure in VNC client code that can result remote code execution(CVE-2018-20020) - LibVNC before commit ca2a5ac02fbbadd0a21fabba779c1ea69173d10b contains heap use-after-free vulnerability in server code of file transfer extension that can result remote code execution.(CVE-2018-6307) - LibVNC before commit 73cb96fec028a576a5a24417b57723b55854ad7b contains heap use-after-free vulnerability in server code of file transfer extension that can result remote code execution(CVE-2018-15126) - LibVNC before commit a83439b9fbe0f03c48eb94ed05729cb016f8b72f contains multiple heap out-of-bound write vulnerabilities in VNC client code that can result remote code execution(CVE-2018-20019) - LibVNC before 2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 contains multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC client code that allows attacker to read stack memory and can be abuse for information disclosure. Combined with another vulnerability, it can be used to leak stack memory layout and in bypassing ASLR(CVE-2018-20022) - LibVNC before commit 4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7 contains null pointer dereference in VNC client code that can result DoS.(CVE-2018-20024) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2019-03-26 plugin id 123109 published 2019-03-26 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123109 title EulerOS 2.0 SP3 : libvncserver (EulerOS-SA-2019-1096)
References
- https://cert-portal.siemens.com/productcert/pdf/ssa-390195.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-390195.pdf
- https://github.com/LibVNC/libvncserver/commit/a64c3b37af9a6c8f8009d7516874b8d266b42bae
- https://github.com/LibVNC/libvncserver/commit/a64c3b37af9a6c8f8009d7516874b8d266b42bae
- https://github.com/LibVNC/libvncserver/commit/c2c4b81e6cb3b485fb1ec7ba9e7defeb889f6ba7
- https://github.com/LibVNC/libvncserver/commit/c2c4b81e6cb3b485fb1ec7ba9e7defeb889f6ba7
- https://github.com/LibVNC/libvncserver/commit/c5ba3fee85a7ecbbca1df5ffd46d32b92757bc2a
- https://github.com/LibVNC/libvncserver/commit/c5ba3fee85a7ecbbca1df5ffd46d32b92757bc2a
- https://github.com/LibVNC/libvncserver/commit/e34bcbb759ca5bef85809967a268fdf214c1ad2c
- https://github.com/LibVNC/libvncserver/commit/e34bcbb759ca5bef85809967a268fdf214c1ad2c
- https://github.com/LibVNC/libvncserver/issues/273
- https://github.com/LibVNC/libvncserver/issues/273
- https://lists.debian.org/debian-lts-announce/2019/01/msg00029.html
- https://lists.debian.org/debian-lts-announce/2019/01/msg00029.html
- https://lists.debian.org/debian-lts-announce/2019/10/msg00042.html
- https://lists.debian.org/debian-lts-announce/2019/10/msg00042.html
- https://usn.ubuntu.com/3877-1/
- https://usn.ubuntu.com/3877-1/
- https://usn.ubuntu.com/4547-1/
- https://usn.ubuntu.com/4547-1/
- https://usn.ubuntu.com/4587-1/
- https://usn.ubuntu.com/4587-1/
- https://www.openwall.com/lists/oss-security/2018/12/10/8
- https://www.openwall.com/lists/oss-security/2018/12/10/8