Vulnerabilities > CVE-2019-15691 - Operation on a Resource after Expiration or Release vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
HIGH Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
TigerVNC version prior to 1.10.1 is vulnerable to stack use-after-return, which occurs due to incorrect usage of stack memory in ZRLEDecoder. If decoding routine would throw an exception, ZRLEDecoder may try to access stack variable, which has been already freed during the process of stack unwinding. Exploitation of this vulnerability could potentially result into remote code execution. This attack appear to be exploitable via network connectivity.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family SuSE Local Security Checks NASL id OPENSUSE-2020-87.NASL description This update for tigervnc fixes the following issues : - CVE-2019-15691: Fixed a use-after-return due to incorrect usage of stack memory in ZRLEDecoder (bsc#1159856). - CVE-2019-15692: Fixed a heap-based buffer overflow in CopyRectDecode (bsc#1160250). - CVE-2019-15693: Fixed a heap-based buffer overflow in TightDecoder::FilterGradient (bsc#1159858). - CVE-2019-15694: Fixed a heap-based buffer overflow, caused by improper error handling in processing MemOutStream (bsc#1160251). - CVE-2019-15695: Fixed a stack-based buffer overflow, which could be triggered from CMsgReader::readSetCursor (bsc#1159860). This update was imported from the SUSE:SLE-15-SP1:Update update project. last seen 2020-06-01 modified 2020-06-02 plugin id 133173 published 2020-01-22 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133173 title openSUSE Security Update : tigervnc (openSUSE-2020-87) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2020-87. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(133173); script_version("1.2"); script_cvs_date("Date: 2020/01/24"); script_cve_id("CVE-2019-15691", "CVE-2019-15692", "CVE-2019-15693", "CVE-2019-15694", "CVE-2019-15695"); script_name(english:"openSUSE Security Update : tigervnc (openSUSE-2020-87)"); script_summary(english:"Check for the openSUSE-2020-87 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for tigervnc fixes the following issues : - CVE-2019-15691: Fixed a use-after-return due to incorrect usage of stack memory in ZRLEDecoder (bsc#1159856). - CVE-2019-15692: Fixed a heap-based buffer overflow in CopyRectDecode (bsc#1160250). - CVE-2019-15693: Fixed a heap-based buffer overflow in TightDecoder::FilterGradient (bsc#1159858). - CVE-2019-15694: Fixed a heap-based buffer overflow, caused by improper error handling in processing MemOutStream (bsc#1160251). - CVE-2019-15695: Fixed a stack-based buffer overflow, which could be triggered from CMsgReader::readSetCursor (bsc#1159860). This update was imported from the SUSE:SLE-15-SP1:Update update project." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1159856" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1159858" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1159860" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1160250" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1160251" ); script_set_attribute( attribute:"solution", value:"Update the affected tigervnc packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libXvnc-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libXvnc1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libXvnc1-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:tigervnc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:tigervnc-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:tigervnc-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:tigervnc-x11vnc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xorg-x11-Xvnc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xorg-x11-Xvnc-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xorg-x11-Xvnc-java"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xorg-x11-Xvnc-module"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xorg-x11-Xvnc-module-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xorg-x11-Xvnc-novnc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/12/26"); script_set_attribute(attribute:"patch_publication_date", value:"2020/01/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/22"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE15\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.1", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE15.1", reference:"libXvnc-devel-1.9.0-lp151.4.3.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"libXvnc1-1.9.0-lp151.4.3.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"libXvnc1-debuginfo-1.9.0-lp151.4.3.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"tigervnc-1.9.0-lp151.4.3.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"tigervnc-debuginfo-1.9.0-lp151.4.3.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"tigervnc-debugsource-1.9.0-lp151.4.3.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"tigervnc-x11vnc-1.9.0-lp151.4.3.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"xorg-x11-Xvnc-1.9.0-lp151.4.3.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"xorg-x11-Xvnc-debuginfo-1.9.0-lp151.4.3.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"xorg-x11-Xvnc-java-1.9.0-lp151.4.3.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"xorg-x11-Xvnc-module-1.9.0-lp151.4.3.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"xorg-x11-Xvnc-module-debuginfo-1.9.0-lp151.4.3.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"xorg-x11-Xvnc-novnc-1.9.0-lp151.4.3.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libXvnc-devel / libXvnc1 / libXvnc1-debuginfo / tigervnc / etc"); }
NASL family SuSE Local Security Checks NASL id SUSE_SU-2020-0113-1.NASL description This update for tigervnc fixes the following issues : CVE-2019-15691: Fixed a use-after-return due to incorrect usage of stack memory in ZRLEDecoder (bsc#1159856). CVE-2019-15692: Fixed a heap-based buffer overflow in CopyRectDecode (bsc#1160250). CVE-2019-15693: Fixed a heap-based buffer overflow in TightDecoder::FilterGradient (bsc#1159858). CVE-2019-15694: Fixed a heap-based buffer overflow, caused by improper error handling in processing MemOutStream (bsc#1160251). CVE-2019-15695: Fixed a stack-based buffer overflow, which could be triggered from CMsgReader::readSetCursor (bsc#1159860). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 133035 published 2020-01-17 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133035 title SUSE SLED15 / SLES15 Security Update : tigervnc (SUSE-SU-2020:0113-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2020-0112-1.NASL description This update for tigervnc fixes the following issues : CVE-2019-15691: Fixed a use-after-return due to incorrect usage of stack memory in ZRLEDecoder (bsc#1159856). CVE-2019-15692: Fixed a heap-based buffer overflow in CopyRectDecode (bsc#1160250). CVE-2019-15693: Fixed a heap-based buffer overflow in TightDecoder::FilterGradient (bsc#1159858). CVE-2019-15694: Fixed a heap-based buffer overflow, caused by improper error handling in processing MemOutStream (bsc#1160251). CVE-2019-15695: Fixed a stack-based buffer overflow, which could be triggered from CMsgReader::readSetCursor (bsc#1159860). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 133034 published 2020-01-17 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133034 title SUSE SLED15 / SLES15 Security Update : tigervnc (SUSE-SU-2020:0112-1) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2020-1497.NASL description From Red Hat Security Advisory 2020:1497 : The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1497 advisory. - tigervnc: Stack use-after-return due to incorrect usage of stack memory in ZRLEDecoder (CVE-2019-15691) - tigervnc: Heap buffer overflow triggered from CopyRectDecoder due to incorrect value checks (CVE-2019-15692) - tigervnc: Heap buffer overflow in TightDecoder::FilterGradient (CVE-2019-15693) - tigervnc: Heap buffer overflow in DecodeManager::decodeRect (CVE-2019-15694) - tigervnc: Stack buffer overflow in CMsgReader::readSetCursor (CVE-2019-15695) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-06 modified 2020-04-20 plugin id 135748 published 2020-04-20 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135748 title Oracle Linux 8 : tigervnc (ELSA-2020-1497) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2020-1497.NASL description The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1497 advisory. - tigervnc: Stack use-after-return due to incorrect usage of stack memory in ZRLEDecoder (CVE-2019-15691) - tigervnc: Heap buffer overflow triggered from CopyRectDecoder due to incorrect value checks (CVE-2019-15692) - tigervnc: Heap buffer overflow in TightDecoder::FilterGradient (CVE-2019-15693) - tigervnc: Heap buffer overflow in DecodeManager::decodeRect (CVE-2019-15694) - tigervnc: Stack buffer overflow in CMsgReader::readSetCursor (CVE-2019-15695) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-04-30 modified 2020-04-22 plugin id 135876 published 2020-04-22 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135876 title RHEL 8 : tigervnc (RHSA-2020:1497) NASL family SuSE Local Security Checks NASL id SUSE_SU-2020-0266-1.NASL description This update for tigervnc provides the following fixes : Security issues fixed : CVE-2019-15691: Fixed a use-after-return due to incorrect usage of stack memory in ZRLEDecoder (bsc#1159856). CVE-2019-15692: Fixed a heap-based buffer overflow in CopyRectDecode (bsc#1160250). CVE-2019-15693: Fixed a heap-based buffer overflow in TightDecoder::FilterGradient (bsc#1159858). CVE-2019-15694: Fixed a heap-based buffer overflow, caused by improper error handling in processing MemOutStream (bsc#1160251). CVE-2019-15695: Fixed a stack-based buffer overflow, which could be triggered from CMsgReader::readSetCursor (bsc#1159860). Non-security issue fixed : Make sure CN in generated certificate doesn last seen 2020-06-01 modified 2020-06-02 plugin id 133395 published 2020-01-31 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133395 title SUSE SLES12 Security Update : tigervnc (SUSE-SU-2020:0266-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2020-0159-1.NASL description This update for tigervnc fixes the following issues : CVE-2019-15691: Fixed a use-after-return due to incorrect usage of stack memory in ZRLEDecoder (bsc#1159856). CVE-2019-15692: Fixed a heap-based buffer overflow in CopyRectDecode (bsc#1160250). CVE-2019-15693: Fixed a heap-based buffer overflow in TightDecoder::FilterGradient (bsc#1159858). CVE-2019-15694: Fixed a heap-based buffer overflow, caused by improper error handling in processing MemOutStream (bsc#1160251). CVE-2019-15695: Fixed a stack-based buffer overflow, which could be triggered from CMsgReader::readSetCursor (bsc#1159860). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 133201 published 2020-01-23 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133201 title SUSE SLES12 Security Update : tigervnc (SUSE-SU-2020:0159-1)
Redhat
rpms |
|
References
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00039.html
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00039.html
- https://github.com/CendioOssman/tigervnc/commit/d61a767d6842b530ffb532ddd5a3d233119aad40
- https://github.com/CendioOssman/tigervnc/commit/d61a767d6842b530ffb532ddd5a3d233119aad40
- https://github.com/TigerVNC/tigervnc/releases/tag/v1.10.1
- https://github.com/TigerVNC/tigervnc/releases/tag/v1.10.1
- https://www.openwall.com/lists/oss-security/2019/12/20/2
- https://www.openwall.com/lists/oss-security/2019/12/20/2