Vulnerabilities > CVE-2018-6307 - Use After Free vulnerability in multiple products

047910
CVSS 8.1 - HIGH
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
high complexity
libvnc-project
debian
canonical
CWE-416
nessus

Summary

LibVNC before commit ca2a5ac02fbbadd0a21fabba779c1ea69173d10b contains heap use-after-free vulnerability in server code of file transfer extension that can result remote code execution.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3877-1.NASL
    descriptionIt was discovered that LibVNCServer incorrectly handled certain operations. A remote attacker able to connect to applications using LibVNCServer could possibly use this issue to obtain sensitive information, cause a denial of service, or execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-18
    modified2019-02-01
    plugin id121541
    published2019-02-01
    reporterUbuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121541
    titleUbuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : libvncserver vulnerabilities (USN-3877-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3877-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(121541);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/20");
    
      script_cve_id("CVE-2018-15126", "CVE-2018-15127", "CVE-2018-20019", "CVE-2018-20020", "CVE-2018-20021", "CVE-2018-20022", "CVE-2018-20023", "CVE-2018-20024", "CVE-2018-20748", "CVE-2018-20749", "CVE-2018-20750", "CVE-2018-6307");
      script_xref(name:"USN", value:"3877-1");
    
      script_name(english:"Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : libvncserver vulnerabilities (USN-3877-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that LibVNCServer incorrectly handled certain
    operations. A remote attacker able to connect to applications using
    LibVNCServer could possibly use this issue to obtain sensitive
    information, cause a denial of service, or execute arbitrary code.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3877-1/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Update the affected libvncclient1, libvncserver0 and / or
    libvncserver1 packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-20750");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libvncclient1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libvncserver0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libvncserver1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.10");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/12/19");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/01/31");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/01");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(14\.04|16\.04|18\.04|18\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04 / 16.04 / 18.04 / 18.10", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"14.04", pkgname:"libvncserver0", pkgver:"0.9.9+dfsg-1ubuntu1.4")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"libvncclient1", pkgver:"0.9.10+dfsg-3ubuntu0.16.04.3")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"libvncserver1", pkgver:"0.9.10+dfsg-3ubuntu0.16.04.3")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"libvncclient1", pkgver:"0.9.11+dfsg-1ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"libvncserver1", pkgver:"0.9.11+dfsg-1ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"18.10", pkgname:"libvncclient1", pkgver:"0.9.11+dfsg-1.1ubuntu0.1")) flag++;
    if (ubuntu_check(osver:"18.10", pkgname:"libvncserver1", pkgver:"0.9.11+dfsg-1.1ubuntu0.1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libvncclient1 / libvncserver0 / libvncserver1");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4383.NASL
    descriptionPavel Cheremushkin discovered several vulnerabilities in libvncserver, a library to implement VNC server/client functionalities, which might result in the execution of arbitrary code, denial of service or information disclosure.
    last seen2020-03-17
    modified2019-02-04
    plugin id121561
    published2019-02-04
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121561
    titleDebian DSA-4383-1 : libvncserver - security update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-4383. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(121561);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/20");
    
      script_cve_id("CVE-2018-15126", "CVE-2018-15127", "CVE-2018-20019", "CVE-2018-20020", "CVE-2018-20021", "CVE-2018-20022", "CVE-2018-20023", "CVE-2018-20024", "CVE-2018-6307");
      script_xref(name:"DSA", value:"4383");
    
      script_name(english:"Debian DSA-4383-1 : libvncserver - security update");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Pavel Cheremushkin discovered several vulnerabilities in libvncserver,
    a library to implement VNC server/client functionalities, which might
    result in the execution of arbitrary code, denial of service or
    information disclosure."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916941"
      );
      # https://security-tracker.debian.org/tracker/source-package/libvncserver
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?b930abb4"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/stretch/libvncserver"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2019/dsa-4383"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the libvncserver packages.
    
    For the stable distribution (stretch), these problems have been fixed
    in version 0.9.11+dfsg-1.3~deb9u1."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-20020");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libvncserver");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/12/19");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/02/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/04");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"9.0", prefix:"libvncclient1", reference:"0.9.11+dfsg-1.3~deb9u1")) flag++;
    if (deb_check(release:"9.0", prefix:"libvncclient1-dbg", reference:"0.9.11+dfsg-1.3~deb9u1")) flag++;
    if (deb_check(release:"9.0", prefix:"libvncserver-config", reference:"0.9.11+dfsg-1.3~deb9u1")) flag++;
    if (deb_check(release:"9.0", prefix:"libvncserver-dev", reference:"0.9.11+dfsg-1.3~deb9u1")) flag++;
    if (deb_check(release:"9.0", prefix:"libvncserver1", reference:"0.9.11+dfsg-1.3~deb9u1")) flag++;
    if (deb_check(release:"9.0", prefix:"libvncserver1-dbg", reference:"0.9.11+dfsg-1.3~deb9u1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-13927-1.NASL
    descriptionThis update for LibVNCServer fixes the following issues : Security issues fixed : CVE-2018-15126: Fixed use-after-free in file transfer extension (bsc#1120114) CVE-2018-6307: Fixed use-after-free in file transfer extension server code (bsc#1120115) CVE-2018-20020: Fixed heap out-of-bound write inside structure in VNC client code (bsc#1120116) CVE-2018-15127: Fixed heap out-of-bounds write in rfbserver.c (bsc#1120117) CVE-2018-20019: Fixed multiple heap out-of-bound writes in VNC client code (bsc#1120118) CVE-2018-20022: Fixed information disclosure through improper initialization in VNC client code (bsc#1120120) CVE-2018-20024: Fixed NULL pointer dereference in VNC client code (bsc#1120121) CVE-2018-20021: Fixed infinite loop in VNC client code (bsc#1120122) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-18
    modified2019-01-14
    plugin id121160
    published2019-01-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121160
    titleSUSE SLES11 Security Update : LibVNCServer (SUSE-SU-2019:13927-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2019:13927-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(121160);
      script_version("1.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/24");
    
      script_cve_id("CVE-2018-15126", "CVE-2018-15127", "CVE-2018-20019", "CVE-2018-20020", "CVE-2018-20021", "CVE-2018-20022", "CVE-2018-20024", "CVE-2018-6307");
    
      script_name(english:"SUSE SLES11 Security Update : LibVNCServer (SUSE-SU-2019:13927-1)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for LibVNCServer fixes the following issues :
    
    Security issues fixed :
    
    CVE-2018-15126: Fixed use-after-free in file transfer extension
    (bsc#1120114)
    
    CVE-2018-6307: Fixed use-after-free in file transfer extension server
    code (bsc#1120115)
    
    CVE-2018-20020: Fixed heap out-of-bound write inside structure in VNC
    client code (bsc#1120116)
    
    CVE-2018-15127: Fixed heap out-of-bounds write in rfbserver.c
    (bsc#1120117)
    
    CVE-2018-20019: Fixed multiple heap out-of-bound writes in VNC client
    code (bsc#1120118)
    
    CVE-2018-20022: Fixed information disclosure through improper
    initialization in VNC client code (bsc#1120120)
    
    CVE-2018-20024: Fixed NULL pointer dereference in VNC client code
    (bsc#1120121)
    
    CVE-2018-20021: Fixed infinite loop in VNC client code (bsc#1120122)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1120114"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1120115"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1120116"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1120117"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1120118"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1120120"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1120121"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1120122"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-15126/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-15127/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-20019/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-20020/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-20021/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-20022/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-20024/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-6307/"
      );
      # https://www.suse.com/support/update/announcement/2019/suse-su-201913927-1.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?b98becce"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Software Development Kit 11-SP4:zypper in -t
    patch sdksp4-LibVNCServer-13927=1
    
    SUSE Linux Enterprise Server 11-SP4:zypper in -t patch
    slessp4-LibVNCServer-13927=1
    
    SUSE Linux Enterprise Server 11-SP3-LTSS:zypper in -t patch
    slessp3-LibVNCServer-13927=1
    
    SUSE Linux Enterprise Point of Sale 11-SP3:zypper in -t patch
    sleposp3-LibVNCServer-13927=1
    
    SUSE Linux Enterprise Debuginfo 11-SP4:zypper in -t patch
    dbgsp4-LibVNCServer-13927=1
    
    SUSE Linux Enterprise Debuginfo 11-SP3:zypper in -t patch
    dbgsp3-LibVNCServer-13927=1"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-20020");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:LibVNCServer");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/12/19");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/01/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/14");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES11", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES11" && (! preg(pattern:"^(3|4)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP3/4", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES11", sp:"4", reference:"LibVNCServer-0.9.1-160.6.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"3", reference:"LibVNCServer-0.9.1-160.6.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "LibVNCServer");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-45.NASL
    descriptionThis update for LibVNCServer fixes the following issues : Security issues fixed : - CVE-2018-15126: Fixed use-after-free in file transfer extension (bsc#1120114) - CVE-2018-6307: Fixed use-after-free in file transfer extension server code (bsc#1120115) - CVE-2018-20020: Fixed heap out-of-bound write inside structure in VNC client code (bsc#1120116) - CVE-2018-15127: Fixed heap out-of-bounds write in rfbserver.c (bsc#1120117) - CVE-2018-20019: Fixed multiple heap out-of-bound writes in VNC client code (bsc#1120118) - CVE-2018-20023: Fixed information disclosure through improper initialization in VNC Repeater client code (bsc#1120119) - CVE-2018-20022: Fixed information disclosure through improper initialization in VNC client code (bsc#1120120) - CVE-2018-20024: Fixed NULL pointer dereference in VNC client code (bsc#1120121) - CVE-2018-20021: Fixed infinite loop in VNC client code (bsc#1120122) This update was imported from the SUSE:SLE-12:Update update project.
    last seen2020-03-18
    modified2019-01-14
    plugin id121154
    published2019-01-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121154
    titleopenSUSE Security Update : LibVNCServer (openSUSE-2019-45)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-0080-1.NASL
    descriptionThis update for LibVNCServer fixes the following issues : Security issues fixed : CVE-2018-15126: Fixed use-after-free in file transfer extension (bsc#1120114) CVE-2018-6307: Fixed use-after-free in file transfer extension server code (bsc#1120115) CVE-2018-20020: Fixed heap out-of-bound write inside structure in VNC client code (bsc#1120116) CVE-2018-15127: Fixed heap out-of-bounds write in rfbserver.c (bsc#1120117) CVE-2018-20019: Fixed multiple heap out-of-bound writes in VNC client code (bsc#1120118) CVE-2018-20023: Fixed information disclosure through improper initialization in VNC Repeater client code (bsc#1120119) CVE-2018-20022: Fixed information disclosure through improper initialization in VNC client code (bsc#1120120) CVE-2018-20024: Fixed NULL pointer dereference in VNC client code (bsc#1120121) CVE-2018-20021: Fixed infinite loop in VNC client code (bsc#1120122) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-18
    modified2019-01-14
    plugin id121158
    published2019-01-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121158
    titleSUSE SLED15 / SLES15 Security Update : LibVNCServer (SUSE-SU-2019:0080-1)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1051.NASL
    descriptionAccording to the versions of the libvncserver package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - libvncserver: Heap out-of-bounds write in rfbserver.c in rfbProcessFileTransferReadBuffer() allows for potential code execution (CVE-2018-15127) - LibVNC before commit 7b1ef0ffc4815cab9a96c7278394152bdc89dc4d contains heap out-of-bound write vulnerability inside structure in VNC client code that can result remote code execution(CVE-2018-20020) - LibVNC before commit ca2a5ac02fbbadd0a21fabba779c1ea69173d10b contains heap use-after-free vulnerability in server code of file transfer extension that can result remote code execution.(CVE-2018-6307) - LibVNC before commit 73cb96fec028a576a5a24417b57723b55854ad7b contains heap use-after-free vulnerability in server code of file transfer extension that can result remote code execution(CVE-2018-15126) - LibVNC before commit a83439b9fbe0f03c48eb94ed05729cb016f8b72f contains multiple heap out-of-bound write vulnerabilities in VNC client code that can result remote code execution(CVE-2018-20019) - LibVNC before 2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 contains multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC client code that allows attacker to read stack memory and can be abuse for information disclosure. Combined with another vulnerability, it can be used to leak stack memory layout and in bypassing ASLR(CVE-2018-20022) - LibVNC before commit 4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7 contains null pointer dereference in VNC client code that can result DoS.(CVE-2018-20024) - LibVNC before 0.9.12 contains multiple heap out-of-bounds write vulnerabilities in libvncclient/rfbproto.c. The fix for CVE-2018-20019 was incomplete.(CVE-2018-20748) - LibVNC before 0.9.12 contains a heap out-of-bounds write vulnerability in libvncserver/rfbserver.c. The fix for CVE-2018-15127 was incomplete.(CVE-2018-20749) - LibVNC through 0.9.12 contains a heap out-of-bounds write vulnerability in libvncserver/rfbserver.c. The fix for CVE-2018-15127 was incomplete.(CVE-2018-20750) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2019-02-22
    plugin id122378
    published2019-02-22
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122378
    titleEulerOS 2.0 SP2 : libvncserver (EulerOS-SA-2019-1051)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-53.NASL
    descriptionThis update for LibVNCServer fixes the following issues : Security issues fixed : - CVE-2018-15126: Fixed use-after-free in file transfer extension (bsc#1120114) - CVE-2018-6307: Fixed use-after-free in file transfer extension server code (bsc#1120115) - CVE-2018-20020: Fixed heap out-of-bound write inside structure in VNC client code (bsc#1120116) - CVE-2018-15127: Fixed heap out-of-bounds write in rfbserver.c (bsc#1120117) - CVE-2018-20019: Fixed multiple heap out-of-bound writes in VNC client code (bsc#1120118) - CVE-2018-20023: Fixed information disclosure through improper initialization in VNC Repeater client code (bsc#1120119) - CVE-2018-20022: Fixed information disclosure through improper initialization in VNC client code (bsc#1120120) - CVE-2018-20024: Fixed NULL pointer dereference in VNC client code (bsc#1120121) - CVE-2018-20021: Fixed infinite loop in VNC client code (bsc#1120122) This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-03-18
    modified2019-01-22
    plugin id121282
    published2019-01-22
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121282
    titleopenSUSE Security Update : LibVNCServer (openSUSE-2019-53)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1033.NASL
    descriptionAccording to the versions of the libvncserver package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - libvncserver: Heap out-of-bounds write in rfbserver.c in rfbProcessFileTransferReadBuffer() allows for potential code execution (CVE-2018-15127) - LibVNC before commit 7b1ef0ffc4815cab9a96c7278394152bdc89dc4d contains heap out-of-bound write vulnerability inside structure in VNC client code that can result remote code execution(CVE-2018-20020) - LibVNC before commit ca2a5ac02fbbadd0a21fabba779c1ea69173d10b contains heap use-after-free vulnerability in server code of file transfer extension that can result remote code execution.(CVE-2018-6307) - LibVNC before commit 73cb96fec028a576a5a24417b57723b55854ad7b contains heap use-after-free vulnerability in server code of file transfer extension that can result remote code execution(CVE-2018-15126) - LibVNC before commit a83439b9fbe0f03c48eb94ed05729cb016f8b72f contains multiple heap out-of-bound write vulnerabilities in VNC client code that can result remote code execution(CVE-2018-20019) - LibVNC before 2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 contains multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC client code that allows attacker to read stack memory and can be abuse for information disclosure. Combined with another vulnerability, it can be used to leak stack memory layout and in bypassing ASLR(CVE-2018-20022) - LibVNC before commit 4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7 contains null pointer dereference in VNC client code that can result DoS.(CVE-2018-20024) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2019-02-15
    plugin id122206
    published2019-02-15
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122206
    titleEulerOS 2.0 SP5 : libvncserver (EulerOS-SA-2019-1033)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-0060-1.NASL
    descriptionThis update for LibVNCServer fixes the following issues : Security issues fixed : CVE-2018-15126: Fixed use-after-free in file transfer extension (bsc#1120114) CVE-2018-6307: Fixed use-after-free in file transfer extension server code (bsc#1120115) CVE-2018-20020: Fixed heap out-of-bound write inside structure in VNC client code (bsc#1120116) CVE-2018-15127: Fixed heap out-of-bounds write in rfbserver.c (bsc#1120117) CVE-2018-20019: Fixed multiple heap out-of-bound writes in VNC client code (bsc#1120118) CVE-2018-20023: Fixed information disclosure through improper initialization in VNC Repeater client code (bsc#1120119) CVE-2018-20022: Fixed information disclosure through improper initialization in VNC client code (bsc#1120120) CVE-2018-20024: Fixed NULL pointer dereference in VNC client code (bsc#1120121) CVE-2018-20021: Fixed infinite loop in VNC client code (bsc#1120122) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-18
    modified2019-01-11
    plugin id121094
    published2019-01-11
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121094
    titleSUSE SLES12 Security Update : LibVNCServer (SUSE-SU-2019:0060-1)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1979.NASL
    descriptionSeveral vulnerabilities have been identified in the VNC code of iTALC, a classroom management software. All vulnerabilities referenced below are issues that have originally been reported against Debian source package libvncserver. The italc source package in Debian ships a custom-patched version of libvncserver, thus libvncserver
    last seen2020-06-01
    modified2020-06-02
    plugin id130408
    published2019-10-31
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130408
    titleDebian DLA-1979-1 : italc security update
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1096.NASL
    descriptionAccording to the versions of the libvncserver package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - LibVNC before 0.9.12 contains multiple heap out-of-bounds write vulnerabilities in libvncclient/rfbproto.c. The fix for CVE-2018-20019 was incomplete.(CVE-2018-20748) - LibVNC before 0.9.12 contains a heap out-of-bounds write vulnerability in libvncserver/rfbserver.c. The fix for CVE-2018-15127 was incomplete.(CVE-2018-20749) - LibVNC through 0.9.12 contains a heap out-of-bounds write vulnerability in libvncserver/rfbserver.c. The fix for CVE-2018-15127 was incomplete.(CVE-2018-20750) - LibVNC before commit 7b1ef0ffc4815cab9a96c7278394152bdc89dc4d contains heap out-of-bound write vulnerability inside structure in VNC client code that can result remote code execution(CVE-2018-20020) - LibVNC before commit ca2a5ac02fbbadd0a21fabba779c1ea69173d10b contains heap use-after-free vulnerability in server code of file transfer extension that can result remote code execution.(CVE-2018-6307) - LibVNC before commit 73cb96fec028a576a5a24417b57723b55854ad7b contains heap use-after-free vulnerability in server code of file transfer extension that can result remote code execution(CVE-2018-15126) - LibVNC before commit a83439b9fbe0f03c48eb94ed05729cb016f8b72f contains multiple heap out-of-bound write vulnerabilities in VNC client code that can result remote code execution(CVE-2018-20019) - LibVNC before 2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 contains multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC client code that allows attacker to read stack memory and can be abuse for information disclosure. Combined with another vulnerability, it can be used to leak stack memory layout and in bypassing ASLR(CVE-2018-20022) - LibVNC before commit 4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7 contains null pointer dereference in VNC client code that can result DoS.(CVE-2018-20024) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2019-03-26
    plugin id123109
    published2019-03-26
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123109
    titleEulerOS 2.0 SP3 : libvncserver (EulerOS-SA-2019-1096)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1617.NASL
    descriptionKaspersky Lab discovered several vulnerabilities in libvncserver, a C library to implement VNC server/client functionalities. CVE-2018-6307 a heap use-after-free vulnerability in the server code of the file transfer extension, which can result in remote code execution. This attack appears to be exploitable via network connectivity. CVE-2018-15127 contains a heap out-of-bound write vulnerability in the server code of the file transfer extension, which can result in remote code execution. This attack appears to be exploitable via network connectivity. CVE-2018-20019 multiple heap out-of-bound write vulnerabilities in VNC client code, which can result in remote code execution. CVE-2018-20020 heap out-of-bound write vulnerability in a structure in VNC client code, which can result in remote code execution. CVE-2018-20021 CWE-835: Infinite Loop vulnerability in VNC client code. The vulnerability could allow an attacker to consume an excessive amount of resources, such as CPU and RAM. CVE-2018-20022 CWE-665: Improper Initialization weaknesses in VNC client code, which could allow an attacker to read stack memory and can be abused for information disclosure. Combined with another vulnerability, it can be used to leak stack memory layout and bypass ASLR. CVE-2018-20023 Improper Initialization vulnerability in VNC Repeater client code, which could allow an attacker to read stack memory and can be abused for information disclosure. Combined with another vulnerability, it can be used to leak stack memory layout and bypass ASLR. CVE-2018-20024 a NULL pointer dereference in VNC client code, which can result in DoS. For Debian 8
    last seen2020-03-26
    modified2018-12-27
    plugin id119877
    published2018-12-27
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119877
    titleDebian DLA-1617-1 : libvncserver security update