Vulnerabilities > CVE-2018-7225 - Integer Overflow or Wraparound vulnerability in multiple products

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
libvncserver-project
debian
canonical
redhat
CWE-190
critical
nessus

Summary

An issue was discovered in LibVNCServer through 0.9.11. rfbProcessClientNormalMessage() in rfbserver.c does not sanitize msg.cct.length, leading to access to uninitialized and potentially sensitive data or possibly unspecified other impact (e.g., an integer overflow) via specially crafted VNC packets.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Forced Integer Overflow
    This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.

Nessus

  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2018-1055.NASL
    descriptionAn update for libvncserver is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. LibVNCServer is a C library that enables you to implement VNC server functionality into own programs. Security Fix(es) : * libvncserver: Improper input sanitization in rfbProcessClientNormalMessage in rfbserver.c (CVE-2018-7225) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id110235
    published2018-05-31
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110235
    titleCentOS 7 : libvncserver (CESA-2018:1055)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2018:1055 and 
    # CentOS Errata and Security Advisory 2018:1055 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(110235);
      script_version("1.4");
      script_cvs_date("Date: 2019/12/31");
    
      script_cve_id("CVE-2018-7225");
      script_xref(name:"RHSA", value:"2018:1055");
    
      script_name(english:"CentOS 7 : libvncserver (CESA-2018:1055)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote CentOS host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for libvncserver is now available for Red Hat Enterprise
    Linux 7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Moderate. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    LibVNCServer is a C library that enables you to implement VNC server
    functionality into own programs.
    
    Security Fix(es) :
    
    * libvncserver: Improper input sanitization in
    rfbProcessClientNormalMessage in rfbserver.c (CVE-2018-7225)
    
    For more details about the security issue(s), including the impact, a
    CVSS score, and other related information, refer to the CVE page(s)
    listed in the References section."
      );
      # https://lists.centos.org/pipermail/centos-announce/2018-May/022877.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?e9bf882c"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected libvncserver packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-7225");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:libvncserver");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:libvncserver-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/02/19");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/05/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/31");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"CentOS Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/CentOS/release");
    if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
    os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 7.x", "CentOS " + os_ver);
    
    if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"libvncserver-0.9.9-12.el7_5")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"libvncserver-devel-0.9.9-12.el7_5")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libvncserver / libvncserver-devel");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-0830-1.NASL
    descriptionLibVNCServer was updated to fix two security issues. These security issues were fixed : - CVE-2018-7225: Missing input sanitization inside rfbserver.c rfbProcessClientNormalMessage() (bsc#1081493). - CVE-2016-9942: Heap-based buffer overflow in ultra.c allowed remote servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted FramebufferUpdate message with the Ultra type tile, such that the LZO payload decompressed length exceeds what is specified by the tile dimensions (bsc#1017712). - CVE-2016-9941: Heap-based buffer overflow in rfbproto.c allowed remote servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted FramebufferUpdate message containing a subrectangle outside of the client drawing area (bsc#1017711). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id108685
    published2018-03-28
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108685
    titleSUSE SLES12 Security Update : LibVNCServer (SUSE-SU-2018:0830-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2018:0830-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(108685);
      script_version("1.5");
      script_cvs_date("Date: 2019/09/10 13:51:47");
    
      script_cve_id("CVE-2016-9941", "CVE-2016-9942", "CVE-2018-7225");
    
      script_name(english:"SUSE SLES12 Security Update : LibVNCServer (SUSE-SU-2018:0830-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "LibVNCServer was updated to fix two security issues. These security
    issues were fixed :
    
      - CVE-2018-7225: Missing input sanitization inside
        rfbserver.c rfbProcessClientNormalMessage()
        (bsc#1081493).
    
      - CVE-2016-9942: Heap-based buffer overflow in ultra.c
        allowed remote servers to cause a denial of service
        (application crash) or possibly execute arbitrary code
        via a crafted FramebufferUpdate message with the Ultra
        type tile, such that the LZO payload decompressed length
        exceeds what is specified by the tile dimensions
        (bsc#1017712).
    
      - CVE-2016-9941: Heap-based buffer overflow in rfbproto.c
        allowed remote servers to cause a denial of service
        (application crash) or possibly execute arbitrary code
        via a crafted FramebufferUpdate message containing a
        subrectangle outside of the client drawing area
        (bsc#1017711).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1017711"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1017712"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1081493"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-9941/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-9942/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-7225/"
      );
      # https://www.suse.com/support/update/announcement/2018/suse-su-20180830-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?3b21b199"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Software Development Kit 12-SP3:zypper in -t
    patch SUSE-SLE-SDK-12-SP3-2018-554=1
    
    SUSE Linux Enterprise Software Development Kit 12-SP2:zypper in -t
    patch SUSE-SLE-SDK-12-SP2-2018-554=1
    
    SUSE Linux Enterprise Server for Raspberry Pi 12-SP2:zypper in -t
    patch SUSE-SLE-RPI-12-SP2-2018-554=1
    
    SUSE Linux Enterprise Server 12-SP3:zypper in -t patch
    SUSE-SLE-SERVER-12-SP3-2018-554=1
    
    SUSE Linux Enterprise Server 12-SP2:zypper in -t patch
    SUSE-SLE-SERVER-12-SP2-2018-554=1"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:LibVNCServer-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libvncclient0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libvncclient0-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libvncserver0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libvncserver0-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/12/31");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/03/27");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/28");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES12" && (! preg(pattern:"^(2|3)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP2/3", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES12", sp:"3", reference:"LibVNCServer-debugsource-0.9.9-17.5.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"libvncclient0-0.9.9-17.5.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"libvncclient0-debuginfo-0.9.9-17.5.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"libvncserver0-0.9.9-17.5.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"libvncserver0-debuginfo-0.9.9-17.5.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"LibVNCServer-debugsource-0.9.9-17.5.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"libvncclient0-0.9.9-17.5.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"libvncclient0-debuginfo-0.9.9-17.5.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"libvncserver0-0.9.9-17.5.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"libvncserver0-debuginfo-0.9.9-17.5.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "LibVNCServer");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1176.NASL
    descriptionAccording to the version of the libvncserver package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - This vulnerability has been modified since it was last analyzed by the NVD. It is awaiting reanalysis which may result in further changes to the information provided.(CVE-2018-7225) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2018-07-02
    plugin id110828
    published2018-07-02
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110828
    titleEulerOS 2.0 SP3 : libvncserver (EulerOS-SA-2018-1176)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-43541091AB.NASL
    descriptionThis release fixes a possible sensitive data leak and a memory exhaustion when handling ClientTextCut messages of the RFB protocol. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-04-04
    plugin id108818
    published2018-04-04
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108818
    titleFedora 26 : libvncserver (2018-43541091ab)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-390001D1C7.NASL
    descriptionThis release fixes a possible sensitive data leak and a memory exhaustion when handling ClientTextCut messages of the RFB protocol. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2019-01-03
    plugin id120355
    published2019-01-03
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120355
    titleFedora 28 : libvncserver (2018-390001d1c7)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3618-1.NASL
    descriptionIt was discovered that LibVNCServer incorrectly handled certain packet lengths. A remote attacker able to connect to a LibVNCServer could possibly use this issue to obtain sensitive information, cause a denial of service, or execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id108841
    published2018-04-05
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108841
    titleUbuntu 14.04 LTS / 16.04 LTS / 17.10 : libvncserver vulnerability (USN-3618-1)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-2014.NASL
    descriptionSeveral vulnerabilities have been identified in the VNC code of vino, a desktop sharing utility for the GNOME desktop environment. The vulnerabilities referenced below are issues that have originally been reported against Debian source package libvncserver. The vino source package in Debian ships a custom-patched and stripped down variant of libvncserver, thus some of libvncserver
    last seen2020-06-01
    modified2020-06-02
    plugin id131432
    published2019-12-03
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131432
    titleDebian DLA-2014-1 : vino security update
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201908-05.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201908-05 (LibVNCServer: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in LibVNCServer. Please review the CVE identifiers referenced below for details. Impact : Please review the referenced CVE identifiers for details. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id127563
    published2019-08-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127563
    titleGLSA-201908-05 : LibVNCServer: Multiple vulnerabilities
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20180410_LIBVNCSERVER_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - libvncserver: Improper input sanitization in rfbProcessClientNormalMessage in rfbserver.c (CVE-2018-7225)
    last seen2020-03-18
    modified2018-05-01
    plugin id109451
    published2018-05-01
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109451
    titleScientific Linux Security Update : libvncserver on SL7.x x86_64 (20180410)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-4897772A43.NASL
    descriptionThis release fixes a possible sensitive data leak and a memory exhaustion when handling ClientTextCut messages of the RFB protocol. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-03-28
    plugin id108669
    published2018-03-28
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108669
    titleFedora 27 : libvncserver (2018-4897772a43)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1139.NASL
    descriptionAccording to the version of the libvncserver package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - This vulnerability has been modified since it was last analyzed by the NVD. It is awaiting reanalysis which may result in further changes to the information provided.(CVE-2018-7225) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2018-05-29
    plugin id110143
    published2018-05-29
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110143
    titleEulerOS 2.0 SP1 : libvncserver (EulerOS-SA-2018-1139)
  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2018-1012.NASL
    descriptionImproper input sanitization in rfbProcessClientNormalMessage in rfbserver.c An issue was discovered in LibVNCServer through 0.9.11. rfbProcessClientNormalMessage() in rfbserver.c does not sanitize msg.cct.length, leading to access to uninitialized and potentially sensitive data or possibly unspecified other impact (e.g., an integer overflow) via specially crafted VNC packets.(CVE-2018-7225)
    last seen2020-06-01
    modified2020-06-02
    plugin id109691
    published2018-05-11
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109691
    titleAmazon Linux 2 : libvncserver (ALAS-2018-1012)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1332.NASL
    descriptionlibvncserver version through 0.9.11. does not sanitize msg.cct.length which may result in access to uninitialized and potentially sensitive data or possibly unspecified other impact (e.g., an integer overflow) via specially crafted VNC packets. For Debian 7
    last seen2020-03-17
    modified2018-04-02
    plugin id108766
    published2018-04-02
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108766
    titleDebian DLA-1332-1 : libvncserver security update
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-2045.NASL
    descriptionSeveral vulnerabilities have recently been discovered in TightVNC 1.x, an X11 based VNC server/viewer application for Windows and Unix. CVE-2014-6053 The rfbProcessClientNormalMessage function in rfbserver.c in TightVNC server did not properly handle attempts to send a large amount of ClientCutText data, which allowed remote attackers to cause a denial of service (memory consumption or daemon crash) via a crafted message that was processed by using a single unchecked malloc. CVE-2018-7225 rfbProcessClientNormalMessage() in rfbserver.c did not sanitize msg.cct.length, leading to access to uninitialized and potentially sensitive data or possibly unspecified other impact (e.g., an integer overflow) via specially crafted VNC packets. CVE-2019-8287 TightVNC code contained global buffer overflow in HandleCoRREBBP macro function, which could potentially have result in code execution. This attack appeared to be exploitable via network connectivity. (aka CVE-2018-20020/libvncserver) CVE-2018-20021 TightVNC in vncviewer/rfbproto.c contained a CWE-835: Infinite loop vulnerability. The vulnerability allowed an attacker to consume an excessive amount of resources like CPU and RAM. CVE-2018-20022 TightVNC
    last seen2020-06-01
    modified2020-06-02
    plugin id132345
    published2019-12-23
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132345
    titleDebian DLA-2045-1 : tightvnc security update
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-0875-1.NASL
    descriptionThis update for LibVNCServer fixes the following issues : - CVE-2018-7225: Missing input sanitization inside rfbserver.c rfbProcessClientNormalMessage() (bsc#1081493). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id108872
    published2018-04-06
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108872
    titleSUSE SLES11 Security Update : LibVNCServer (SUSE-SU-2018:0875-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-1055.NASL
    descriptionAn update for libvncserver is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. LibVNCServer is a C library that enables you to implement VNC server functionality into own programs. Security Fix(es) : * libvncserver: Improper input sanitization in rfbProcessClientNormalMessage in rfbserver.c (CVE-2018-7225) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id108994
    published2018-04-11
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108994
    titleRHEL 7 : libvncserver (RHSA-2018:1055)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0052_LIBVNCSERVER.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has libvncserver packages installed that are affected by multiple vulnerabilities: - An issue was discovered in LibVNCServer through 0.9.11. rfbProcessClientNormalMessage() in rfbserver.c does not sanitize msg.cct.length, leading to access to uninitialized and potentially sensitive data or possibly unspecified other impact (e.g., an integer overflow) via specially crafted VNC packets. (CVE-2018-7225) - LibVNC before commit 502821828ed00b4a2c4bef90683d0fd88ce495de contains heap out-of-bound write vulnerability in server code of file transfer extension that can result remote code execution (CVE-2018-15127) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id127237
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127237
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : libvncserver Multiple Vulnerabilities (NS-SA-2019-0052)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1979.NASL
    descriptionSeveral vulnerabilities have been identified in the VNC code of iTALC, a classroom management software. All vulnerabilities referenced below are issues that have originally been reported against Debian source package libvncserver. The italc source package in Debian ships a custom-patched version of libvncserver, thus libvncserver
    last seen2020-06-01
    modified2020-06-02
    plugin id130408
    published2019-10-31
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130408
    titleDebian DLA-1979-1 : italc security update
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4221.NASL
    descriptionAlexander Peslyak discovered that insufficient input sanitising of RFB packets in LibVNCServer could result in the disclosure of memory contents.
    last seen2020-06-01
    modified2020-06-02
    plugin id110420
    published2018-06-11
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110420
    titleDebian DSA-4221-1 : libvncserver - security update
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2018-1055.NASL
    descriptionFrom Red Hat Security Advisory 2018:1055 : An update for libvncserver is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. LibVNCServer is a C library that enables you to implement VNC server functionality into own programs. Security Fix(es) : * libvncserver: Improper input sanitization in rfbProcessClientNormalMessage in rfbserver.c (CVE-2018-7225) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id109153
    published2018-04-19
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109153
    titleOracle Linux 7 : libvncserver (ELSA-2018-1055)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-326.NASL
    descriptionLibVNCServer was updated to fix two security issues. These security issues were fixed : - CVE-2018-7225: Missing input sanitization inside rfbserver.c rfbProcessClientNormalMessage() (bsc#1081493). - CVE-2016-9942: Heap-based buffer overflow in ultra.c allowed remote servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted FramebufferUpdate message with the Ultra type tile, such that the LZO payload decompressed length exceeds what is specified by the tile dimensions (bsc#1017712). - CVE-2016-9941: Heap-based buffer overflow in rfbproto.c allowed remote servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted FramebufferUpdate message containing a subrectangle outside of the client drawing area (bsc#1017711). This update was imported from the SUSE:SLE-12:Update update project.
    last seen2020-06-05
    modified2018-03-30
    plugin id108743
    published2018-03-30
    reporterThis script is Copyright (C) 2018-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/108743
    titleopenSUSE Security Update : LibVNCServer (openSUSE-2018-326)

Redhat

advisories
bugzilla
id1546858
titleCVE-2018-7225 libvncserver: Improper input sanitization in rfbProcessClientNormalMessage in rfbserver.c
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 7 is installed
      ovaloval:com.redhat.rhba:tst:20150364027
    • OR
      • AND
        • commentlibvncserver-devel is earlier than 0:0.9.9-12.el7_5
          ovaloval:com.redhat.rhsa:tst:20181055001
        • commentlibvncserver-devel is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20141826002
      • AND
        • commentlibvncserver is earlier than 0:0.9.9-12.el7_5
          ovaloval:com.redhat.rhsa:tst:20181055003
        • commentlibvncserver is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20141826004
rhsa
idRHSA-2018:1055
released2018-04-10
severityModerate
titleRHSA-2018:1055: libvncserver security update (Moderate)
rpms
  • libvncserver-0:0.9.9-12.el7_5
  • libvncserver-debuginfo-0:0.9.9-12.el7_5
  • libvncserver-devel-0:0.9.9-12.el7_5