Vulnerabilities > CVE-2019-15695 - Improper Check for Unusual or Exceptional Conditions vulnerability in multiple products

047910
CVSS 6.5 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
tigervnc
opensuse
CWE-754
nessus

Summary

TigerVNC version prior to 1.10.1 is vulnerable to stack buffer overflow, which could be triggered from CMsgReader::readSetCursor. This vulnerability occurs due to insufficient sanitization of PixelFormat. Since remote attacker can choose offset from start of the buffer to start writing his values, exploitation of this vulnerability could potentially result into remote code execution. This attack appear to be exploitable via network connectivity.

Nessus

  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2020-87.NASL
    descriptionThis update for tigervnc fixes the following issues : - CVE-2019-15691: Fixed a use-after-return due to incorrect usage of stack memory in ZRLEDecoder (bsc#1159856). - CVE-2019-15692: Fixed a heap-based buffer overflow in CopyRectDecode (bsc#1160250). - CVE-2019-15693: Fixed a heap-based buffer overflow in TightDecoder::FilterGradient (bsc#1159858). - CVE-2019-15694: Fixed a heap-based buffer overflow, caused by improper error handling in processing MemOutStream (bsc#1160251). - CVE-2019-15695: Fixed a stack-based buffer overflow, which could be triggered from CMsgReader::readSetCursor (bsc#1159860). This update was imported from the SUSE:SLE-15-SP1:Update update project.
    last seen2020-06-01
    modified2020-06-02
    plugin id133173
    published2020-01-22
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133173
    titleopenSUSE Security Update : tigervnc (openSUSE-2020-87)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2020-87.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(133173);
      script_version("1.2");
      script_cvs_date("Date: 2020/01/24");
    
      script_cve_id("CVE-2019-15691", "CVE-2019-15692", "CVE-2019-15693", "CVE-2019-15694", "CVE-2019-15695");
    
      script_name(english:"openSUSE Security Update : tigervnc (openSUSE-2020-87)");
      script_summary(english:"Check for the openSUSE-2020-87 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for tigervnc fixes the following issues :
    
      - CVE-2019-15691: Fixed a use-after-return due to
        incorrect usage of stack memory in ZRLEDecoder
        (bsc#1159856).
    
      - CVE-2019-15692: Fixed a heap-based buffer overflow in
        CopyRectDecode (bsc#1160250).
    
      - CVE-2019-15693: Fixed a heap-based buffer overflow in
        TightDecoder::FilterGradient (bsc#1159858).
    
      - CVE-2019-15694: Fixed a heap-based buffer overflow,
        caused by improper error handling in processing
        MemOutStream (bsc#1160251).
    
      - CVE-2019-15695: Fixed a stack-based buffer overflow,
        which could be triggered from CMsgReader::readSetCursor
        (bsc#1159860).
    
    This update was imported from the SUSE:SLE-15-SP1:Update update
    project."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1159856"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1159858"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1159860"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1160250"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1160251"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected tigervnc packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libXvnc-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libXvnc1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libXvnc1-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:tigervnc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:tigervnc-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:tigervnc-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:tigervnc-x11vnc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xorg-x11-Xvnc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xorg-x11-Xvnc-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xorg-x11-Xvnc-java");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xorg-x11-Xvnc-module");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xorg-x11-Xvnc-module-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:xorg-x11-Xvnc-novnc");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.1");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/12/26");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/01/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/22");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE15\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.1", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE15.1", reference:"libXvnc-devel-1.9.0-lp151.4.3.1") ) flag++;
    if ( rpm_check(release:"SUSE15.1", reference:"libXvnc1-1.9.0-lp151.4.3.1") ) flag++;
    if ( rpm_check(release:"SUSE15.1", reference:"libXvnc1-debuginfo-1.9.0-lp151.4.3.1") ) flag++;
    if ( rpm_check(release:"SUSE15.1", reference:"tigervnc-1.9.0-lp151.4.3.1") ) flag++;
    if ( rpm_check(release:"SUSE15.1", reference:"tigervnc-debuginfo-1.9.0-lp151.4.3.1") ) flag++;
    if ( rpm_check(release:"SUSE15.1", reference:"tigervnc-debugsource-1.9.0-lp151.4.3.1") ) flag++;
    if ( rpm_check(release:"SUSE15.1", reference:"tigervnc-x11vnc-1.9.0-lp151.4.3.1") ) flag++;
    if ( rpm_check(release:"SUSE15.1", reference:"xorg-x11-Xvnc-1.9.0-lp151.4.3.1") ) flag++;
    if ( rpm_check(release:"SUSE15.1", reference:"xorg-x11-Xvnc-debuginfo-1.9.0-lp151.4.3.1") ) flag++;
    if ( rpm_check(release:"SUSE15.1", reference:"xorg-x11-Xvnc-java-1.9.0-lp151.4.3.1") ) flag++;
    if ( rpm_check(release:"SUSE15.1", reference:"xorg-x11-Xvnc-module-1.9.0-lp151.4.3.1") ) flag++;
    if ( rpm_check(release:"SUSE15.1", reference:"xorg-x11-Xvnc-module-debuginfo-1.9.0-lp151.4.3.1") ) flag++;
    if ( rpm_check(release:"SUSE15.1", reference:"xorg-x11-Xvnc-novnc-1.9.0-lp151.4.3.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libXvnc-devel / libXvnc1 / libXvnc1-debuginfo / tigervnc / etc");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2020-0113-1.NASL
    descriptionThis update for tigervnc fixes the following issues : CVE-2019-15691: Fixed a use-after-return due to incorrect usage of stack memory in ZRLEDecoder (bsc#1159856). CVE-2019-15692: Fixed a heap-based buffer overflow in CopyRectDecode (bsc#1160250). CVE-2019-15693: Fixed a heap-based buffer overflow in TightDecoder::FilterGradient (bsc#1159858). CVE-2019-15694: Fixed a heap-based buffer overflow, caused by improper error handling in processing MemOutStream (bsc#1160251). CVE-2019-15695: Fixed a stack-based buffer overflow, which could be triggered from CMsgReader::readSetCursor (bsc#1159860). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id133035
    published2020-01-17
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133035
    titleSUSE SLED15 / SLES15 Security Update : tigervnc (SUSE-SU-2020:0113-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2020-0112-1.NASL
    descriptionThis update for tigervnc fixes the following issues : CVE-2019-15691: Fixed a use-after-return due to incorrect usage of stack memory in ZRLEDecoder (bsc#1159856). CVE-2019-15692: Fixed a heap-based buffer overflow in CopyRectDecode (bsc#1160250). CVE-2019-15693: Fixed a heap-based buffer overflow in TightDecoder::FilterGradient (bsc#1159858). CVE-2019-15694: Fixed a heap-based buffer overflow, caused by improper error handling in processing MemOutStream (bsc#1160251). CVE-2019-15695: Fixed a stack-based buffer overflow, which could be triggered from CMsgReader::readSetCursor (bsc#1159860). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id133034
    published2020-01-17
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133034
    titleSUSE SLED15 / SLES15 Security Update : tigervnc (SUSE-SU-2020:0112-1)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2020-1497.NASL
    descriptionFrom Red Hat Security Advisory 2020:1497 : The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1497 advisory. - tigervnc: Stack use-after-return due to incorrect usage of stack memory in ZRLEDecoder (CVE-2019-15691) - tigervnc: Heap buffer overflow triggered from CopyRectDecoder due to incorrect value checks (CVE-2019-15692) - tigervnc: Heap buffer overflow in TightDecoder::FilterGradient (CVE-2019-15693) - tigervnc: Heap buffer overflow in DecodeManager::decodeRect (CVE-2019-15694) - tigervnc: Stack buffer overflow in CMsgReader::readSetCursor (CVE-2019-15695) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-06
    modified2020-04-20
    plugin id135748
    published2020-04-20
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135748
    titleOracle Linux 8 : tigervnc (ELSA-2020-1497)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-1497.NASL
    descriptionThe remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1497 advisory. - tigervnc: Stack use-after-return due to incorrect usage of stack memory in ZRLEDecoder (CVE-2019-15691) - tigervnc: Heap buffer overflow triggered from CopyRectDecoder due to incorrect value checks (CVE-2019-15692) - tigervnc: Heap buffer overflow in TightDecoder::FilterGradient (CVE-2019-15693) - tigervnc: Heap buffer overflow in DecodeManager::decodeRect (CVE-2019-15694) - tigervnc: Stack buffer overflow in CMsgReader::readSetCursor (CVE-2019-15695) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-04-30
    modified2020-04-22
    plugin id135876
    published2020-04-22
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135876
    titleRHEL 8 : tigervnc (RHSA-2020:1497)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2020-0266-1.NASL
    descriptionThis update for tigervnc provides the following fixes : Security issues fixed : CVE-2019-15691: Fixed a use-after-return due to incorrect usage of stack memory in ZRLEDecoder (bsc#1159856). CVE-2019-15692: Fixed a heap-based buffer overflow in CopyRectDecode (bsc#1160250). CVE-2019-15693: Fixed a heap-based buffer overflow in TightDecoder::FilterGradient (bsc#1159858). CVE-2019-15694: Fixed a heap-based buffer overflow, caused by improper error handling in processing MemOutStream (bsc#1160251). CVE-2019-15695: Fixed a stack-based buffer overflow, which could be triggered from CMsgReader::readSetCursor (bsc#1159860). Non-security issue fixed : Make sure CN in generated certificate doesn
    last seen2020-06-01
    modified2020-06-02
    plugin id133395
    published2020-01-31
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133395
    titleSUSE SLES12 Security Update : tigervnc (SUSE-SU-2020:0266-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2020-0159-1.NASL
    descriptionThis update for tigervnc fixes the following issues : CVE-2019-15691: Fixed a use-after-return due to incorrect usage of stack memory in ZRLEDecoder (bsc#1159856). CVE-2019-15692: Fixed a heap-based buffer overflow in CopyRectDecode (bsc#1160250). CVE-2019-15693: Fixed a heap-based buffer overflow in TightDecoder::FilterGradient (bsc#1159858). CVE-2019-15694: Fixed a heap-based buffer overflow, caused by improper error handling in processing MemOutStream (bsc#1160251). CVE-2019-15695: Fixed a stack-based buffer overflow, which could be triggered from CMsgReader::readSetCursor (bsc#1159860). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id133201
    published2020-01-23
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133201
    titleSUSE SLES12 Security Update : tigervnc (SUSE-SU-2020:0159-1)

Redhat

advisories
bugzilla
id1790318
titleCVE-2019-15695 tigervnc: Stack buffer overflow in CMsgReader::readSetCursor
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 8 is installed
      ovaloval:com.redhat.rhba:tst:20193384074
    • OR
      • AND
        • commenttigervnc-server-applet is earlier than 0:1.9.0-14.el8_1
          ovaloval:com.redhat.rhsa:tst:20201497001
        • commenttigervnc-server-applet is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20110871002
      • AND
        • commenttigervnc-license is earlier than 0:1.9.0-14.el8_1
          ovaloval:com.redhat.rhsa:tst:20201497003
        • commenttigervnc-license is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20152233008
      • AND
        • commenttigervnc-icons is earlier than 0:1.9.0-14.el8_1
          ovaloval:com.redhat.rhsa:tst:20201497005
        • commenttigervnc-icons is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20152233010
      • AND
        • commenttigervnc-debugsource is earlier than 0:1.9.0-14.el8_1
          ovaloval:com.redhat.rhsa:tst:20201497007
        • commenttigervnc-debugsource is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20201497008
      • AND
        • commenttigervnc-server-module is earlier than 0:1.9.0-14.el8_1
          ovaloval:com.redhat.rhsa:tst:20201497009
        • commenttigervnc-server-module is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20110871008
      • AND
        • commenttigervnc-server-minimal is earlier than 0:1.9.0-14.el8_1
          ovaloval:com.redhat.rhsa:tst:20201497011
        • commenttigervnc-server-minimal is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20152233002
      • AND
        • commenttigervnc-server is earlier than 0:1.9.0-14.el8_1
          ovaloval:com.redhat.rhsa:tst:20201497013
        • commenttigervnc-server is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20110871004
      • AND
        • commenttigervnc is earlier than 0:1.9.0-14.el8_1
          ovaloval:com.redhat.rhsa:tst:20201497015
        • commenttigervnc is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20110871006
rhsa
idRHSA-2020:1497
released2020-04-16
severityModerate
titleRHSA-2020:1497: tigervnc security update (Moderate)
rpms
  • tigervnc-0:1.9.0-14.el8_1
  • tigervnc-debuginfo-0:1.9.0-14.el8_1
  • tigervnc-debugsource-0:1.9.0-14.el8_1
  • tigervnc-icons-0:1.9.0-14.el8_1
  • tigervnc-license-0:1.9.0-14.el8_1
  • tigervnc-server-0:1.9.0-14.el8_1
  • tigervnc-server-applet-0:1.9.0-14.el8_1
  • tigervnc-server-debuginfo-0:1.9.0-14.el8_1
  • tigervnc-server-minimal-0:1.9.0-14.el8_1
  • tigervnc-server-minimal-debuginfo-0:1.9.0-14.el8_1
  • tigervnc-server-module-0:1.9.0-14.el8_1
  • tigervnc-server-module-debuginfo-0:1.9.0-14.el8_1