6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.011 Low
EPSS
Percentile
84.3%
CentOS Errata and Security Advisory CESA-2017:2000
Virtual Network Computing (VNC) is a remote display system which allows users to view a computing desktop environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. TigerVNC is a suite of VNC servers and clients which allows users to connect to other desktops running a VNC server.
FLTK (pronounced “fulltick”) is a cross-platform C++ GUI toolkit. It provides modern GUI functionality without the bloat, and supports 3D graphics via OpenGL and its built-in GLUT emulation.
The following packages have been upgraded to a later upstream version: tigervnc (1.8.0), fltk (1.3.4). (BZ#1388620, BZ#1413598)
Security Fix(es):
A denial of service flaw was found in the TigerVNC’s Xvnc server. A remote unauthenticated attacker could use this flaw to make Xvnc crash by terminating the TLS handshake process early. (CVE-2016-10207)
A double free flaw was found in the way TigerVNC handled ClientFence messages. A remote, authenticated attacker could use this flaw to make Xvnc crash by sending specially crafted ClientFence messages, resulting in denial of service. (CVE-2017-7393)
A missing input sanitization flaw was found in the way TigerVNC handled credentials. A remote unauthenticated attacker could use this flaw to make Xvnc crash by sending specially crafted usernames, resulting in denial of service. (CVE-2017-7394)
An integer overflow flaw was found in the way TigerVNC handled ClientCutText messages. A remote, authenticated attacker could use this flaw to make Xvnc crash by sending specially crafted ClientCutText messages, resulting in denial of service. (CVE-2017-7395)
A buffer overflow flaw, leading to memory corruption, was found in TigerVNC viewer. A remote malicious VNC server could use this flaw to crash the client vncviewer process resulting in denial of service. (CVE-2017-5581)
A memory leak flaw was found in the way TigerVNC handled termination of VeNCrypt connections. A remote unauthenticated attacker could repeatedly send connection requests to the Xvnc server, causing it to consume large amounts of memory resources over time, and ultimately leading to a denial of service due to memory exhaustion. (CVE-2017-7392)
A memory leak flaw was found in the way TigerVNC handled client connections. A remote unauthenticated attacker could repeatedly send connection requests to the Xvnc server, causing it to consume large amounts of memory resources over time, and ultimately leading to a denial of service due to memory exhaustion. (CVE-2017-7396)
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.
Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-cr-announce/2017-August/030380.html
https://lists.centos.org/pipermail/centos-cr-announce/2017-August/030843.html
Affected packages:
fltk
fltk-devel
fltk-fluid
fltk-static
tigervnc
tigervnc-icons
tigervnc-license
tigervnc-server
tigervnc-server-applet
tigervnc-server-minimal
tigervnc-server-module
Upstream details at:
https://access.redhat.com/errata/RHSA-2017:2000
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
CentOS | 7 | i686 | fltk | < 1.3.4-1.el7 | fltk-1.3.4-1.el7.i686.rpm |
CentOS | 7 | x86_64 | fltk | < 1.3.4-1.el7 | fltk-1.3.4-1.el7.x86_64.rpm |
CentOS | 7 | i686 | fltk-devel | < 1.3.4-1.el7 | fltk-devel-1.3.4-1.el7.i686.rpm |
CentOS | 7 | x86_64 | fltk-devel | < 1.3.4-1.el7 | fltk-devel-1.3.4-1.el7.x86_64.rpm |
CentOS | 7 | x86_64 | fltk-fluid | < 1.3.4-1.el7 | fltk-fluid-1.3.4-1.el7.x86_64.rpm |
CentOS | 7 | i686 | fltk-static | < 1.3.4-1.el7 | fltk-static-1.3.4-1.el7.i686.rpm |
CentOS | 7 | x86_64 | fltk-static | < 1.3.4-1.el7 | fltk-static-1.3.4-1.el7.x86_64.rpm |
CentOS | 7 | x86_64 | tigervnc | < 1.8.0-1.el7 | tigervnc-1.8.0-1.el7.x86_64.rpm |
CentOS | 7 | noarch | tigervnc-icons | < 1.8.0-1.el7 | tigervnc-icons-1.8.0-1.el7.noarch.rpm |
CentOS | 7 | noarch | tigervnc-license | < 1.8.0-1.el7 | tigervnc-license-1.8.0-1.el7.noarch.rpm |
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.011 Low
EPSS
Percentile
84.3%