Vulnerabilities > CVE-2019-15681 - Improper Initialization vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
LibVNC commit before d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a contains a memory leak (CWE-655) in VNC server code, which allow an attacker to read stack memory and can be abused for information disclosure. Combined with another vulnerability, it can be used to leak stack memory and bypass ASLR. This attack appear to be exploitable via network connectivity. These vulnerabilities have been fixed in commit d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 | |
| OS | 5 | |
| OS | 2 | |
| OS | 6 | |
| Hardware | 6 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leveraging Race Conditions This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
- Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_SU-2020-0955-1.NASL description This update for vino fixes the following issues : CVE-2019-15681: Fixed a memory leak which could have allowed to a remote attacker to read stack memory (bsc#1155419). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-04-16 modified 2020-04-10 plugin id 135388 published 2020-04-10 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135388 title SUSE SLES12 Security Update : vino (SUSE-SU-2020:0955-1) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-2014.NASL description Several vulnerabilities have been identified in the VNC code of vino, a desktop sharing utility for the GNOME desktop environment. The vulnerabilities referenced below are issues that have originally been reported against Debian source package libvncserver. The vino source package in Debian ships a custom-patched and stripped down variant of libvncserver, thus some of libvncserver last seen 2020-06-01 modified 2020-06-02 plugin id 131432 published 2019-12-03 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131432 title Debian DLA-2014-1 : vino security update NASL family SuSE Local Security Checks NASL id OPENSUSE-2020-624.NASL description This update for LibVNCServer fixes the following issues : - CVE-2019-15690: Fixed a heap buffer overflow (bsc#1160471). - CVE-2019-15681: Fixed a memory leak which could have allowed to a remote attacker to read stack memory (bsc#1155419). - CVE-2019-20788: Fixed a integer overflow and heap-based buffer overflow via a large height or width value (bsc#1170441). This update was imported from the SUSE:SLE-15:Update update project. last seen 2020-05-15 modified 2020-05-11 plugin id 136453 published 2020-05-11 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136453 title openSUSE Security Update : LibVNCServer (openSUSE-2020-624) NASL family Virtuozzo Local Security Checks NASL id VIRTUOZZO_VZA-2019-093.NASL description According to the version of the parallels-kernel-modules / etc packages installed, the Virtuozzo installation on the remote host is affected by the following vulnerability : - libVNCServer-0.9.10 contains a memory leak in VNC server code, which may allow an attacker to read stack memory. Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 131834 published 2019-12-09 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131834 title Virtuozzo 6 : parallels-kernel-modules / etc (VZA-2019-093) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1977.NASL description LibVNC contained a memory leak (CWE-655) in VNC server code, which allowed an attacker to read stack memory and could be abused for information disclosure. For Debian 8 last seen 2020-06-01 modified 2020-06-02 plugin id 130406 published 2019-10-31 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130406 title Debian DLA-1977-1 : libvncserver security update NASL family SuSE Local Security Checks NASL id SUSE_SU-2020-1165-1.NASL description This update for LibVNCServer fixes the following issues : CVE-2019-15690: Fixed a heap buffer overflow (bsc#1160471). CVE-2019-15681: Fixed a memory leak which could have allowed to a remote attacker to read stack memory (bsc#1155419). CVE-2019-20788: Fixed a integer overflow and heap-based buffer overflow via a large height or width value (bsc#1170441). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-12 modified 2020-05-07 plugin id 136396 published 2020-05-07 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136396 title SUSE SLES12 Security Update : LibVNCServer (SUSE-SU-2020:1165-1) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-2045.NASL description Several vulnerabilities have recently been discovered in TightVNC 1.x, an X11 based VNC server/viewer application for Windows and Unix. CVE-2014-6053 The rfbProcessClientNormalMessage function in rfbserver.c in TightVNC server did not properly handle attempts to send a large amount of ClientCutText data, which allowed remote attackers to cause a denial of service (memory consumption or daemon crash) via a crafted message that was processed by using a single unchecked malloc. CVE-2018-7225 rfbProcessClientNormalMessage() in rfbserver.c did not sanitize msg.cct.length, leading to access to uninitialized and potentially sensitive data or possibly unspecified other impact (e.g., an integer overflow) via specially crafted VNC packets. CVE-2019-8287 TightVNC code contained global buffer overflow in HandleCoRREBBP macro function, which could potentially have result in code execution. This attack appeared to be exploitable via network connectivity. (aka CVE-2018-20020/libvncserver) CVE-2018-20021 TightVNC in vncviewer/rfbproto.c contained a CWE-835: Infinite loop vulnerability. The vulnerability allowed an attacker to consume an excessive amount of resources like CPU and RAM. CVE-2018-20022 TightVNC last seen 2020-06-01 modified 2020-06-02 plugin id 132345 published 2019-12-23 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132345 title Debian DLA-2045-1 : tightvnc security update NASL family SuSE Local Security Checks NASL id SUSE_SU-2020-1164-1.NASL description This update for LibVNCServer fixes the following issues : CVE-2019-15690: Fixed a heap buffer overflow (bsc#1160471). CVE-2019-15681: Fixed a memory leak which could have allowed to a remote attacker to read stack memory (bsc#1155419). CVE-2019-20788: Fixed a integer overflow and heap-based buffer overflow via a large height or width value (bsc#1170441). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-12 modified 2020-05-07 plugin id 136395 published 2020-05-07 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136395 title SUSE SLED15 / SLES15 Security Update : LibVNCServer (SUSE-SU-2020:1164-1) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1979.NASL description Several vulnerabilities have been identified in the VNC code of iTALC, a classroom management software. All vulnerabilities referenced below are issues that have originally been reported against Debian source package libvncserver. The italc source package in Debian ships a custom-patched version of libvncserver, thus libvncserver last seen 2020-06-01 modified 2020-06-02 plugin id 130408 published 2019-10-31 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130408 title Debian DLA-1979-1 : italc security update
References
- https://github.com/LibVNC/libvncserver/commit/d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a
- https://lists.debian.org/debian-lts-announce/2019/10/msg00039.html
- https://lists.debian.org/debian-lts-announce/2019/10/msg00042.html
- https://lists.debian.org/debian-lts-announce/2019/11/msg00032.html
- https://lists.debian.org/debian-lts-announce/2019/12/msg00028.html
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00027.html
- https://usn.ubuntu.com/4407-1/
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00073.html
- https://usn.ubuntu.com/4547-1/
- https://usn.ubuntu.com/4573-1/
- https://usn.ubuntu.com/4587-1/
- https://cert-portal.siemens.com/productcert/pdf/ssa-390195.pdf