Siemens Products using TightVNC (Update A)

2021-05-11T12:00:00

Description

## 1\. EXECUTIVE SUMMARY **\--------- Begin Update A Part 1 of 5 ---------** This advisory was previously released with a set of Siemens products considered to be affected. Following further investigation by the Siemens’ team, it was determined all products previously advised are not affected by any vulnerability listed in this advisory or Siemens Security Advisory SSA-478893 * Vendor: Siemens * Equipment: SIMATIC ITC Industrial Thin Clients, SIMATIC WinCC Runtime Advanced/Professional, SIMATIC HMI Panels, SIPLUS extreme products **\--------- End Update A Part 1 of 5 --------- ** ## 2\. UPDATE INFORMATION This updated advisory is a follow-up to the original advisory titled ICSA-20-343-08 Siemens Products using TightVNC that was published December 8, 2020, to the ICS webpage on us-cert.cisa.gov. ## 3\. RISK EVALUATION **\--------- Begin Update A Part 2 of 5 ---------** All products listed in the original advisory associated with ICSA-20-343-08 Siemens Products using TightVNC are unaffected by TightVNC vulnerabilities. **\--------- End Update A Part 2 of 5 ---------** ## 4\. TECHNICAL DETAILS ### 4.1 AFFECTED PRODUCTS **\--------- Begin Update A Part 3 of 5 ---------** Vulnerabilities in TightVNC (v1.X), a remote-control software package, do not affect the following Siemens products. The previous version of this advisory stated the following products were affected: * SIMATIC HMI Comfort Outdoor Panels 7” and 15” (including SIPLUS variants): All versions prior to Version 16 update 3 * SIMATIC HMI Comfort Panel 4” to 22” (including SIPLUS variants): All versions prior to Version 16 update 3 * SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900 and KTP900F: All versions prior to Version 16 update 3 * SIMATIC ITC1500 v3.1: All versions * SIMATIC ITC1500 v3.1 PRO: All versions * SIMATIC ITC1900 v3.1: All versions * SIMATIC ITC1900 v3.1 Pro: All versions * SIMATIC ITC2200 v3.1: All versions * SIMATIC ITC2200 v3.1 PRO: All versions * SIMATIC WinCC Runtime Advanced: All versions prior to Version 16 update 3 * SIMATIC WinCC Runtime Professional: All version prior to Version 16 update 3 **\--------- End Update A Part 3 of 5 ---------** ### 4.2 VULNERABILITY OVERVIEW #### 4.2.1 [HEAP-BASED BUFFER OVERFLOW CWE-122](<https://cwe.mitre.org/data/definitions/122.html>) TightVNC code Version 1.3.10 contains a heap buffer overflow in rfbServerCutText handler, which can potentially result in code execution. The attack appears to be exploitable via network connectivity. [CVE-2019-15678](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-15678>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)). #### 4.2.2 [HEAP-BASED BUFFER OVERFLOW CWE-122](<https://cwe.mitre.org/data/definitions/122.html>) TightVNC code Version 1.3.10 contains a heap buffer overflow in InitialiseRFBConnection function, which can potentially result in code execution. This attack appears to be exploitable via network connectivity. [CVE-2019-15679](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-15679>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)). #### 4.2.3 [NULL POINTER DEREFERENCE CWE-476](<https://cwe.mitre.org/data/definitions/476.html>) TightVNC code Version 1.3.10 contains a null pointer dereference in HandleZlibBPP function, which could result in a denial-of-service. This attack appears to be exploitable via network connectivity. [CVE-2019-15680](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-15680>) has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H>)). #### 4.2.4 [BUFFER COPY WITHOUT CHECKING SIZE OF INPUT ('CLASSIC BUFFER OVERFLOW') CWE-120](<https://cwe.mitre.org/data/definitions/120.html>) TightVNC code Version 1.3.10 contains a global buffer overflow in HandleCoRREBBP macro function, which can potentially result in code execution. This appears to be exploitable via network connectivity. [CVE-2019-8287](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-8287>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)). ### 4.3 BACKGROUND * **CRITICAL INFRASTRUCTURE SECTORS:** Chemical, Critical Manufacturing, Energy, Food and Agriculture, Water and Wastewater Systems * **COUNTRIES/AREAS DEPLOYED: **Worldwide * **COMPANY HEADQUARTERS LOCATION: **Germany ### 4.4 RESEARCHER **\--------- Begin Update A Part 4 of 5 ---------** Siemens reported this update information to CISA. **\--------- End Update A Part 4 of 5 ---------** ## 5\. MITIGATIONS **\--------- Begin Update A Part 5 of 5 ---------** This advisory was previously released with a set of Siemens products considered to be affected. Following further investigation by the Siemens’ team, it was determined all products previously advised are not affected by any vulnerability listed in this advisory. As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to the [Siemens operational guidelines for industrial security](<https://cert-portal.siemens.com/operational-guidelines-industrial-security.pdf>) and following the recommendations in the product manuals. For additional information, please refer to Siemens Security Advisory [SSA-478893](<https://cert-portal.siemens.com/productcert/pdf/ssa-478893.pdf>) [Contact Siemens](<https://www.siemens.com/cert/advisories>) or further inquiries on its security vulnerabilities. **\--------- End Update A Part 5 of 5 ---------** ISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for [control systems security recommended practices](<https://us-cert.cisa.gov/ics/recommended-practices>) on the ICS webpage on [us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>). Additional mitigation guidance and recommended practices are publicly available on the [ICS webpage on us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B>). Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.

{"id": "ICSA-20-343-08", "vendorId": null, "type": "ics", "bulletinFamily": "info", "title": "Siemens Products using TightVNC (Update A)", "description": "## 1\\. EXECUTIVE SUMMARY\n\n**\\--------- Begin Update A Part 1 of 5 ---------**\n\nThis advisory was previously released with a set of Siemens products considered to be affected. Following further investigation by the Siemens\u2019 team, it was determined all products previously advised are not affected by any vulnerability listed in this advisory or Siemens Security Advisory SSA-478893\n\n * Vendor: Siemens\n * Equipment: SIMATIC ITC Industrial Thin Clients, SIMATIC WinCC Runtime Advanced/Professional, SIMATIC HMI Panels, SIPLUS extreme products\n\n**\\--------- End Update A Part 1 of 5 --------- **\n\n## 2\\. UPDATE INFORMATION\n\nThis updated advisory is a follow-up to the original advisory titled ICSA-20-343-08 Siemens Products using TightVNC that was published December 8, 2020, to the ICS webpage on us-cert.cisa.gov.\n\n## 3\\. RISK EVALUATION\n\n**\\--------- Begin Update A Part 2 of 5 ---------**\n\nAll products listed in the original advisory associated with ICSA-20-343-08 Siemens Products using TightVNC are unaffected by TightVNC vulnerabilities.\n\n**\\--------- End Update A Part 2 of 5 ---------**\n\n## 4\\. TECHNICAL DETAILS\n\n### 4.1 AFFECTED PRODUCTS\n\n**\\--------- Begin Update A Part 3 of 5 ---------**\n\nVulnerabilities in TightVNC (v1.X), a remote-control software package, do not affect the following Siemens products. The previous version of this advisory stated the following products were affected:\n\n * SIMATIC HMI Comfort Outdoor Panels 7\u201d and 15\u201d (including SIPLUS variants): All versions prior to Version 16 update 3\n * SIMATIC HMI Comfort Panel 4\u201d to 22\u201d (including SIPLUS variants): All versions prior to Version 16 update 3\n * SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900 and KTP900F: All versions prior to Version 16 update 3\n * SIMATIC ITC1500 v3.1: All versions\n * SIMATIC ITC1500 v3.1 PRO: All versions\n * SIMATIC ITC1900 v3.1: All versions\n * SIMATIC ITC1900 v3.1 Pro: All versions\n * SIMATIC ITC2200 v3.1: All versions\n * SIMATIC ITC2200 v3.1 PRO: All versions\n * SIMATIC WinCC Runtime Advanced: All versions prior to Version 16 update 3\n * SIMATIC WinCC Runtime Professional: All version prior to Version 16 update 3\n\n**\\--------- End Update A Part 3 of 5 ---------**\n\n### 4.2 VULNERABILITY OVERVIEW\n\n#### 4.2.1 [HEAP-BASED BUFFER OVERFLOW CWE-122](<https://cwe.mitre.org/data/definitions/122.html>)\n\nTightVNC code Version 1.3.10 contains a heap buffer overflow in rfbServerCutText handler, which can potentially result in code execution. The attack appears to be exploitable via network connectivity. \n\n[CVE-2019-15678](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-15678>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 4.2.2 [HEAP-BASED BUFFER OVERFLOW CWE-122](<https://cwe.mitre.org/data/definitions/122.html>)\n\nTightVNC code Version 1.3.10 contains a heap buffer overflow in InitialiseRFBConnection function, which can potentially result in code execution. This attack appears to be exploitable via network connectivity. \n\n[CVE-2019-15679](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-15679>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 4.2.3 [NULL POINTER DEREFERENCE CWE-476](<https://cwe.mitre.org/data/definitions/476.html>)\n\nTightVNC code Version 1.3.10 contains a null pointer dereference in HandleZlibBPP function, which could result in a denial-of-service. This attack appears to be exploitable via network connectivity. \n\n[CVE-2019-15680](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-15680>) has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H>)).\n\n#### 4.2.4 [BUFFER COPY WITHOUT CHECKING SIZE OF INPUT ('CLASSIC BUFFER OVERFLOW') CWE-120](<https://cwe.mitre.org/data/definitions/120.html>)\n\nTightVNC code Version 1.3.10 contains a global buffer overflow in HandleCoRREBBP macro function, which can potentially result in code execution. This appears to be exploitable via network connectivity. \n\n[CVE-2019-8287](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-8287>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n### 4.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS:** Chemical, Critical Manufacturing, Energy, Food and Agriculture, Water and Wastewater Systems\n * **COUNTRIES/AREAS DEPLOYED: **Worldwide\n * **COMPANY HEADQUARTERS LOCATION: **Germany\n\n### 4.4 RESEARCHER\n\n**\\--------- Begin Update A Part 4 of 5 ---------**\n\nSiemens reported this update information to CISA.\n\n**\\--------- End Update A Part 4 of 5 ---------**\n\n## 5\\. MITIGATIONS\n\n**\\--------- Begin Update A Part 5 of 5 ---------**\n\nThis advisory was previously released with a set of Siemens products considered to be affected. Following further investigation by the Siemens\u2019 team, it was determined all products previously advised are not affected by any vulnerability listed in this advisory.\n\nAs a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to the [Siemens operational guidelines for industrial security](<https://cert-portal.siemens.com/operational-guidelines-industrial-security.pdf>) and following the recommendations in the product manuals.\n\nFor additional information, please refer to Siemens Security Advisory [SSA-478893](<https://cert-portal.siemens.com/productcert/pdf/ssa-478893.pdf>)\n\n[Contact Siemens](<https://www.siemens.com/cert/advisories>) or further inquiries on its security vulnerabilities.\n\n**\\--------- End Update A Part 5 of 5 ---------**\n\nISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\n\nCISA also provides a section for [control systems security recommended practices](<https://us-cert.cisa.gov/ics/recommended-practices>) on the ICS webpage on [us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B>).\n\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n", "published": "2021-05-11T12:00:00", "modified": "2021-05-11T12:00:00", "epss": [{"cve": "CVE-2019-15678", "epss": 0.02492, "percentile": 0.88557, "modified": "2023-06-13"}, {"cve": "CVE-2019-15679", "epss": 0.02492, "percentile": 0.88557, "modified": "2023-06-13"}, {"cve": "CVE-2019-15680", "epss": 0.00186, "percentile": 0.54585, "modified": "2023-06-13"}, {"cve": "CVE-2019-8287", "epss": 0.02201, "percentile": 0.87847, "modified": "2023-06-13"}], "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://www.cisa.gov/news-events/ics-advisories/icsa-20-343-08", "reporter": "Industrial Control Systems Cyber Emergency Response Team", "references": ["https://www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-20-343-08&title=Siemens%20Products%20using%20TightVNC%20%28Update%20A%29", "https://twitter.com/intent/tweet?text=Siemens%20Products%20using%20TightVNC%20%28Update%20A%29+https://www.cisa.gov/news-events/ics-advisories/icsa-20-343-08", "https://www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-20-343-08", "mailto:?subject=Siemens%20Products%20using%20TightVNC%20%28Update%20A%29&body=https://www.cisa.gov/news-events/ics-advisories/icsa-20-343-08", "https://cwe.mitre.org/data/definitions/122.html", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-15678", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "https://cwe.mitre.org/data/definitions/122.html", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-15679", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "https://cwe.mitre.org/data/definitions/476.html", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-15680", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "https://cwe.mitre.org/data/definitions/120.html", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-8287", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "https://cert-portal.siemens.com/operational-guidelines-industrial-security.pdf", "https://cert-portal.siemens.com/productcert/pdf/ssa-478893.pdf", "https://www.siemens.com/cert/advisories", "https://us-cert.cisa.gov/ics/recommended-practices", "https://us-cert.cisa.gov/ics", "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf", "https://us-cert.cisa.gov/ics", "https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B", "https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-advisories/icsa-20-343-08", "https://www.facebook.com/CISA", "https://twitter.com/CISAgov", "https://www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency", "https://www.youtube.com/@cisagov", "https://www.instagram.com/cisagov", "https://www.dhs.gov/accessibility", "https://www.dhs.gov/performance-financial-reports", "https://www.dhs.gov", "https://www.dhs.gov/foia", "https://www.oig.dhs.gov/", "https://public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138", "https://www.whitehouse.gov/", "https://www.usa.gov/"], "cvelist": ["CVE-2019-15678", "CVE-2019-15679", "CVE-2019-15680", "CVE-2019-8287"], "immutableFields": [], "lastseen": "2023-09-10T00:40:51", "viewCount": 39, "enchantments": {"dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2019-1750"]}, {"type": "cve", "idList": ["CVE-2019-15678", "CVE-2019-15679", "CVE-2019-15680", "CVE-2019-8287", "CVE-2022-23967"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2045-1:3847F", "DEBIAN:DLA-2045-1:908CE"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2019-15678", "DEBIANCVE:CVE-2019-15679", "DEBIANCVE:CVE-2019-15680", "DEBIANCVE:CVE-2019-8287"]}, {"type": "freebsd", "idList": ["B34C1947-A749-11ED-B24B-1C61B4739AC9"]}, {"type": "nessus", "idList": ["DEBIAN_DLA-2045.NASL", "FREEBSD_PKG_B34C1947A74911EDB24B1C61B4739AC9.NASL", "SUSE_SU-2019-14235-1.NASL", "UBUNTU_USN-4407-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310815831", "OPENVAS:1361412562310815832", "OPENVAS:1361412562310844487", "OPENVAS:1361412562310892045"]}, {"type": "osv", "idList": ["OSV:DLA-2045-1"]}, {"type": "threatpost", "idList": ["THREATPOST:8F6E27B46891F0167D7799A73F1A9380"]}, {"type": "ubuntu", "idList": ["USN-4407-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2019-15678", "UB:CVE-2019-15679", "UB:CVE-2019-15680", "UB:CVE-2019-8287"]}]}, "score": {"value": 9.6, "vector": "NONE"}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2019-1750"]}, {"type": "cve", "idList": ["CVE-2019-15678", "CVE-2019-15679", "CVE-2019-15680", "CVE-2019-8287"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2045-1:908CE"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2019-15680"]}, {"type": "ics", "idList": ["ICSA-13-011-01", "ICSA-13-149-01"]}, {"type": "nessus", "idList": ["UBUNTU_USN-4407-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310815831", "OPENVAS:1361412562310815832"]}, {"type": "threatpost", "idList": ["THREATPOST:8F6E27B46891F0167D7799A73F1A9380"]}, {"type": "ubuntu", "idList": ["USN-4407-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2019-15678", "UB:CVE-2019-15679", "UB:CVE-2019-15680", "UB:CVE-2019-8287"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2019-15678", "epss": 0.02492, "percentile": 0.8848, "modified": "2023-05-07"}, {"cve": "CVE-2019-15679", "epss": 0.02492, "percentile": 0.8848, "modified": "2023-05-07"}, {"cve": "CVE-2019-15680", "epss": 0.00186, "percentile": 0.54374, "modified": "2023-05-07"}, {"cve": "CVE-2019-8287", "epss": 0.02201, "percentile": 0.87748, "modified": "2023-05-07"}], "vulnersScore": 9.6}, "_state": {"dependencies": 1694306512, "score": 1694306627, "epss": 0}, "_internal": {"score_hash": "df5f2dd45d5c6801310dced629e7c99c"}}

{"nessus": [{"lastseen": "2023-07-09T14:37:58", "description": "The remote SUSE Linux SLES11 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2019:14235-1 advisory.\n\n - TightVNC code version 1.3.10 contains heap buffer overflow in rfbServerCutText handler, which can potentially result code execution.. This attack appear to be exploitable via network connectivity.\n (CVE-2019-15678)\n\n - TightVNC code version 1.3.10 contains heap buffer overflow in InitialiseRFBConnection function, which can potentially result code execution. This attack appear to be exploitable via network connectivity.\n (CVE-2019-15679)\n\n - TightVNC code version 1.3.10 contains null pointer dereference in HandleZlibBPP function, which results Denial of System (DoS). This attack appear to be exploitable via network connectivity. (CVE-2019-15680)\n\n - TightVNC code version 1.3.10 contains global buffer overflow in HandleCoRREBBP macro function, which can potentially result code execution. This attack appear to be exploitable via network connectivity.\n (CVE-2019-8287)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-06-10T00:00:00", "type": "nessus", "title": "SUSE SLES11 Security Update : tightvnc (SUSE-SU-2019:14235-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-15678", "CVE-2019-15679", "CVE-2019-15680", "CVE-2019-8287"], "modified": "2021-06-10T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:tightvnc", "cpe:/o:novell:suse_linux:11"], "id": "SUSE_SU-2019-14235-1.NASL", "href": "https://www.tenable.com/plugins/nessus/150552", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2019:14235-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150552);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/06/10\");\n\n script_cve_id(\n \"CVE-2019-8287\",\n \"CVE-2019-15678\",\n \"CVE-2019-15679\",\n \"CVE-2019-15680\"\n );\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2019:14235-1\");\n\n script_name(english:\"SUSE SLES11 Security Update : tightvnc (SUSE-SU-2019:14235-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLES11 host has a package installed that is affected by multiple vulnerabilities as referenced in\nthe SUSE-SU-2019:14235-1 advisory.\n\n - TightVNC code version 1.3.10 contains heap buffer overflow in rfbServerCutText handler, which can\n potentially result code execution.. This attack appear to be exploitable via network connectivity.\n (CVE-2019-15678)\n\n - TightVNC code version 1.3.10 contains heap buffer overflow in InitialiseRFBConnection function, which can\n potentially result code execution. This attack appear to be exploitable via network connectivity.\n (CVE-2019-15679)\n\n - TightVNC code version 1.3.10 contains null pointer dereference in HandleZlibBPP function, which results\n Denial of System (DoS). This attack appear to be exploitable via network connectivity. (CVE-2019-15680)\n\n - TightVNC code version 1.3.10 contains global buffer overflow in HandleCoRREBBP macro function, which can\n potentially result code execution. This attack appear to be exploitable via network connectivity.\n (CVE-2019-8287)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1155442\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1155452\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1155472\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1155476\");\n # https://lists.suse.com/pipermail/sle-security-updates/2019-November/006203.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5c986e9f\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2019-15678\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2019-15679\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2019-15680\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2019-8287\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected tightvnc package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-8287\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/10/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/11/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:tightvnc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES11)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES11', 'SUSE ' + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE ' + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES11\" && (! preg(pattern:\"^(4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES11 SP4\", os_ver + \" SP\" + sp);\n\npkgs = [\n {'reference':'tightvnc-1.3.9-81.15.3', 'sp':'4', 'release':'SLES11', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-11.4'},\n {'reference':'tightvnc-1.3.9-81.15.3', 'sp':'4', 'release':'SLES11', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-11.4'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n exists_check = NULL;\n rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release && exists_check) {\n if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n else if (reference && release) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n ltss_plugin_caveat = '\\n' +\n 'NOTE: This vulnerability check contains fixes that apply to\\n' +\n 'packages only available in SUSE Enterprise Linux Server LTSS\\n' +\n 'repositories. Access to these package security updates require\\n' +\n 'a paid SUSE LTSS subscription.\\n';\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + ltss_plugin_caveat\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'tightvnc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-09T12:46:32", "description": "The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the b34c1947-a749-11ed-b24b-1c61b4739ac9 advisory.\n\n - TightVNC code version 1.3.10 contains heap buffer overflow in rfbServerCutText handler, which can potentially result code execution.. This attack appear to be exploitable via network connectivity.\n (CVE-2019-15678)\n\n - TightVNC code version 1.3.10 contains heap buffer overflow in InitialiseRFBConnection function, which can potentially result code execution. This attack appear to be exploitable via network connectivity.\n (CVE-2019-15679)\n\n - TightVNC code version 1.3.10 contains null pointer dereference in HandleZlibBPP function, which results Denial of System (DoS). This attack appear to be exploitable via network connectivity. (CVE-2019-15680)\n\n - TightVNC code version 1.3.10 contains global buffer overflow in HandleCoRREBBP macro function, which can potentially result code execution. This attack appear to be exploitable via network connectivity.\n (CVE-2019-8287)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-02-08T00:00:00", "type": "nessus", "title": "FreeBSD : TightVNC -- Muliple Vulnerabilities (b34c1947-a749-11ed-b24b-1c61b4739ac9)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-15678", "CVE-2019-15679", "CVE-2019-15680", "CVE-2019-8287"], "modified": "2023-02-08T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:tightvnc", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_B34C1947A74911EDB24B1C61B4739AC9.NASL", "href": "https://www.tenable.com/plugins/nessus/171121", "sourceData": "#%NASL_MIN_LEVEL 80900\n#\n# (C) Tenable, Inc.\n#\n# @NOAGENT@\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n#\n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(171121);\n script_version(\"1.0\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/08\");\n\n script_cve_id(\n \"CVE-2019-8287\",\n \"CVE-2019-15678\",\n \"CVE-2019-15679\",\n \"CVE-2019-15680\"\n );\n\n script_name(english:\"FreeBSD : TightVNC -- Muliple Vulnerabilities (b34c1947-a749-11ed-b24b-1c61b4739ac9)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing one or more security-related updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple\nvulnerabilities as referenced in the b34c1947-a749-11ed-b24b-1c61b4739ac9 advisory.\n\n - TightVNC code version 1.3.10 contains heap buffer overflow in rfbServerCutText handler, which can\n potentially result code execution.. This attack appear to be exploitable via network connectivity.\n (CVE-2019-15678)\n\n - TightVNC code version 1.3.10 contains heap buffer overflow in InitialiseRFBConnection function, which can\n potentially result code execution. This attack appear to be exploitable via network connectivity.\n (CVE-2019-15679)\n\n - TightVNC code version 1.3.10 contains null pointer dereference in HandleZlibBPP function, which results\n Denial of System (DoS). This attack appear to be exploitable via network connectivity. (CVE-2019-15680)\n\n - TightVNC code version 1.3.10 contains global buffer overflow in HandleCoRREBBP macro function, which can\n potentially result code execution. This attack appear to be exploitable via network connectivity.\n (CVE-2019-8287)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15678\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15679\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15680\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8287\");\n # https://vuxml.freebsd.org/freebsd/b34c1947-a749-11ed-b24b-1c61b4739ac9.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2163185a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-8287\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/10/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/02/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/02/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:tightvnc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"freebsd_package.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nvar flag = 0;\n\nvar packages = [\n 'tightvnc<=1.3.10_6'\n];\n\nforeach var package( packages ) {\n if (pkg_test(save_report:TRUE, pkg: package)) flag++;\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : pkg_report_get()\n );\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:33:47", "description": "Several vulnerabilities have recently been discovered in TightVNC 1.x, an X11 based VNC server/viewer application for Windows and Unix.\n\nCVE-2014-6053\n\nThe rfbProcessClientNormalMessage function in rfbserver.c in TightVNC server did not properly handle attempts to send a large amount of ClientCutText data, which allowed remote attackers to cause a denial of service (memory consumption or daemon crash) via a crafted message that was processed by using a single unchecked malloc.\n\nCVE-2018-7225\n\nrfbProcessClientNormalMessage() in rfbserver.c did not sanitize msg.cct.length, leading to access to uninitialized and potentially sensitive data or possibly unspecified other impact (e.g., an integer overflow) via specially crafted VNC packets.\n\nCVE-2019-8287\n\nTightVNC code contained global buffer overflow in HandleCoRREBBP macro function, which could potentially have result in code execution. This attack appeared to be exploitable via network connectivity.\n\n(aka CVE-2018-20020/libvncserver)\n\nCVE-2018-20021\n\nTightVNC in vncviewer/rfbproto.c contained a CWE-835: Infinite loop vulnerability. The vulnerability allowed an attacker to consume an excessive amount of resources like CPU and RAM.\n\nCVE-2018-20022\n\nTightVNC's vncviewer contained multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC client code that allowed attackers to read stack memory and could be abused for information disclosure.\nCombined with another vulnerability, it could be used to leak stack memory layout and in bypassing ASLR.\n\nCVE-2019-15678\n\nTightVNC code version contained heap buffer overflow in rfbServerCutText handler, which could have potentially resulted in code execution. This attack appeared to be exploitable via network connectivity.\n\n(partially aka CVE-2018-20748/libvnvserver)\n\nCVE-2019-15679\n\nTightVNC's vncviewer code contained a heap buffer overflow in InitialiseRFBConnection function, which could have potentially resulted in code execution. This attack appeared to be exploitable via network connectivity.\n\n(partially aka CVE-2018-20748/libvnvserver)\n\nCVE-2019-15680\n\nTightVNC's vncviewer code contained a NULL pointer dereference in HandleZlibBPP function, which could have resulted in Denial of System (DoS). This attack appeared to be exploitable via network connectivity.\n\nCVE-2019-15681\n\nTightVNC contained a memory leak (CWE-655) in VNC server code, which allowed an attacker to read stack memory and could have been abused for information disclosure. Combined with another vulnerability, it could have been used to leak stack memory and bypass ASLR. This attack appeared to be exploitable via network connectivity.\n\nFor Debian 8 'Jessie', these problems have been fixed in version 1.3.9-6.5+deb8u1.\n\nWe recommend that you upgrade your tightvnc packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2019-12-23T00:00:00", "type": "nessus", "title": "Debian DLA-2045-1 : tightvnc security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-6053", "CVE-2018-20020", "CVE-2018-20021", "CVE-2018-20022", "CVE-2018-20748", "CVE-2018-7225", "CVE-2019-15678", "CVE-2019-15679", "CVE-2019-15680", "CVE-2019-15681", "CVE-2019-8287"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:tightvncserver", "p-cpe:/a:debian:debian_linux:xtightvncviewer", "cpe:/o:debian:debian_linux:8.0"], "id": "DEBIAN_DLA-2045.NASL", "href": "https://www.tenable.com/plugins/nessus/132345", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2045-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(132345);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\n \"CVE-2014-6053\",\n \"CVE-2018-20021\",\n \"CVE-2018-20022\",\n \"CVE-2018-7225\",\n \"CVE-2019-15678\",\n \"CVE-2019-15679\",\n \"CVE-2019-15680\",\n \"CVE-2019-15681\",\n \"CVE-2019-8287\"\n );\n script_bugtraq_id(70092);\n script_xref(name:\"IAVA\", value:\"2020-A-0381\");\n\n script_name(english:\"Debian DLA-2045-1 : tightvnc security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several vulnerabilities have recently been discovered in TightVNC 1.x,\nan X11 based VNC server/viewer application for Windows and Unix.\n\nCVE-2014-6053\n\nThe rfbProcessClientNormalMessage function in rfbserver.c in TightVNC\nserver did not properly handle attempts to send a large amount of\nClientCutText data, which allowed remote attackers to cause a denial\nof service (memory consumption or daemon crash) via a crafted message\nthat was processed by using a single unchecked malloc.\n\nCVE-2018-7225\n\nrfbProcessClientNormalMessage() in rfbserver.c did not sanitize\nmsg.cct.length, leading to access to uninitialized and potentially\nsensitive data or possibly unspecified other impact (e.g., an integer\noverflow) via specially crafted VNC packets.\n\nCVE-2019-8287\n\nTightVNC code contained global buffer overflow in HandleCoRREBBP macro\nfunction, which could potentially have result in code execution. This\nattack appeared to be exploitable via network connectivity.\n\n(aka CVE-2018-20020/libvncserver)\n\nCVE-2018-20021\n\nTightVNC in vncviewer/rfbproto.c contained a CWE-835: Infinite loop\nvulnerability. The vulnerability allowed an attacker to consume an\nexcessive amount of resources like CPU and RAM.\n\nCVE-2018-20022\n\nTightVNC's vncviewer contained multiple weaknesses CWE-665: Improper\nInitialization vulnerability in VNC client code that allowed attackers\nto read stack memory and could be abused for information disclosure.\nCombined with another vulnerability, it could be used to leak stack\nmemory layout and in bypassing ASLR.\n\nCVE-2019-15678\n\nTightVNC code version contained heap buffer overflow in\nrfbServerCutText handler, which could have potentially resulted in\ncode execution. This attack appeared to be exploitable via network\nconnectivity.\n\n(partially aka CVE-2018-20748/libvnvserver)\n\nCVE-2019-15679\n\nTightVNC's vncviewer code contained a heap buffer overflow in\nInitialiseRFBConnection function, which could have potentially\nresulted in code execution. This attack appeared to be exploitable via\nnetwork connectivity.\n\n(partially aka CVE-2018-20748/libvnvserver)\n\nCVE-2019-15680\n\nTightVNC's vncviewer code contained a NULL pointer dereference in\nHandleZlibBPP function, which could have resulted in Denial of System\n(DoS). This attack appeared to be exploitable via network\nconnectivity.\n\nCVE-2019-15681\n\nTightVNC contained a memory leak (CWE-655) in VNC server code, which\nallowed an attacker to read stack memory and could have been abused\nfor information disclosure. Combined with another vulnerability, it\ncould have been used to leak stack memory and bypass ASLR. This attack\nappeared to be exploitable via network connectivity.\n\nFor Debian 8 'Jessie', these problems have been fixed in version\n1.3.9-6.5+deb8u1.\n\nWe recommend that you upgrade your tightvnc packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://lists.debian.org/debian-lts-announce/2019/12/msg00028.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://packages.debian.org/source/jessie/tightvnc\");\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the affected tightvncserver, and xtightvncviewer packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-8287\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tightvncserver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:xtightvncviewer\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/12/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/23\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"tightvncserver\", reference:\"1.3.9-6.5+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"xtightvncviewer\", reference:\"1.3.9-6.5+deb8u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:03:57", "description": "It was discovered that LibVNCServer incorrectly handled decompressing data. An attacker could possibly use this issue to cause LibVNCServer to crash, resulting in a denial of service. (CVE-2019-15680) It was discovered that an information disclosure vulnerability existed in LibVNCServer when sending a ServerCutText message. An attacker could possibly use this issue to expose sensitive information. This issue only affected Ubuntu 19.10, Ubuntu 18.04 LTS, and Ubuntu 16.04 LTS.\n(CVE-2019-15681) It was discovered that LibVNCServer incorrectly handled cursor shape updates. If a user were tricked in to connecting to a malicious server, an attacker could possibly use this issue to cause LibVNCServer to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 19.10, Ubuntu 18.04 LTS, and Ubuntu 16.04 LTS. (CVE-2019-15690, CVE-2019-20788) It was discovered that LibVNCServer incorrectly handled decoding WebSocket frames. An attacker could possibly use this issue to cause LibVNCServer to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 19.10, Ubuntu 18.04 LTS, and Ubuntu 16.04 LTS. (CVE-2017-18922).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2020-07-06T00:00:00", "type": "nessus", "title": "Ubuntu 16.04 LTS / 18.04 LTS / 19.10 / 20.04 : LibVNCServer vulnerabilities (USN-4407-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-18922", "CVE-2019-15680", "CVE-2019-15681", "CVE-2019-15690", "CVE-2019-20788"], "modified": "2023-05-11T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:libvncclient1", "p-cpe:/a:canonical:ubuntu_linux:libvncserver1", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "cpe:/o:canonical:ubuntu_linux:19.10", "cpe:/o:canonical:ubuntu_linux:20.04"], "id": "UBUNTU_USN-4407-1.NASL", "href": "https://www.tenable.com/plugins/nessus/138132", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4407-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(138132);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/11\");\n\n script_cve_id(\"CVE-2017-18922\", \"CVE-2019-15680\", \"CVE-2019-15681\", \"CVE-2019-15690\", \"CVE-2019-20788\");\n script_xref(name:\"USN\", value:\"4407-1\");\n script_xref(name:\"IAVA\", value:\"2020-A-0381\");\n\n script_name(english:\"Ubuntu 16.04 LTS / 18.04 LTS / 19.10 / 20.04 : LibVNCServer vulnerabilities (USN-4407-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"It was discovered that LibVNCServer incorrectly handled decompressing\ndata. An attacker could possibly use this issue to cause LibVNCServer\nto crash, resulting in a denial of service. (CVE-2019-15680) It was\ndiscovered that an information disclosure vulnerability existed in\nLibVNCServer when sending a ServerCutText message. An attacker could\npossibly use this issue to expose sensitive information. This issue\nonly affected Ubuntu 19.10, Ubuntu 18.04 LTS, and Ubuntu 16.04 LTS.\n(CVE-2019-15681) It was discovered that LibVNCServer incorrectly\nhandled cursor shape updates. If a user were tricked in to connecting\nto a malicious server, an attacker could possibly use this issue to\ncause LibVNCServer to crash, resulting in a denial of service, or\npossibly execute arbitrary code. This issue only affected Ubuntu\n19.10, Ubuntu 18.04 LTS, and Ubuntu 16.04 LTS. (CVE-2019-15690,\nCVE-2019-20788) It was discovered that LibVNCServer incorrectly\nhandled decoding WebSocket frames. An attacker could possibly use this\nissue to cause LibVNCServer to crash, resulting in a denial of\nservice, or possibly execute arbitrary code. This issue only affected\nUbuntu 19.10, Ubuntu 18.04 LTS, and Ubuntu 16.04 LTS. (CVE-2017-18922).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/4407-1/\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected libvncclient1 and / or libvncserver1 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-20788\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libvncclient1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libvncserver1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:19.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/10/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/06\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2020-2023 Canonical, Inc. / NASL script (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.04|18\\.04|19\\.10|20\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 16.04 / 18.04 / 19.10 / 20.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nvar flag = 0;\n\nif (ubuntu_check(osver:\"16.04\", pkgname:\"libvncclient1\", pkgver:\"0.9.10+dfsg-3ubuntu0.16.04.4\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"libvncserver1\", pkgver:\"0.9.10+dfsg-3ubuntu0.16.04.4\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"libvncclient1\", pkgver:\"0.9.11+dfsg-1ubuntu1.2\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"libvncserver1\", pkgver:\"0.9.11+dfsg-1ubuntu1.2\")) flag++;\nif (ubuntu_check(osver:\"19.10\", pkgname:\"libvncclient1\", pkgver:\"0.9.11+dfsg-1.3ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"19.10\", pkgname:\"libvncserver1\", pkgver:\"0.9.11+dfsg-1.3ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"20.04\", pkgname:\"libvncclient1\", pkgver:\"0.9.12+dfsg-9ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"20.04\", pkgname:\"libvncserver1\", pkgver:\"0.9.12+dfsg-9ubuntu0.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libvncclient1 / libvncserver1\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "openvas": [{"lastseen": "2019-11-13T19:20:47", "description": "This host is installed with TightVNC\n and is prone to code execution and denial of service vulnerabilities.", "cvss3": {}, "published": "2019-11-08T00:00:00", "type": "openvas", "title": "TightVNC Remote Code Execution and Denial of Service Vulnerabilities (Linux)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-8287", "CVE-2019-15678", "CVE-2019-15680", "CVE-2019-15679"], "modified": "2019-11-12T00:00:00", "id": "OPENVAS:1361412562310815831", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815831", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:tightvnc:tightvnc\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815831\");\n script_version(\"2019-11-12T09:30:57+0000\");\n script_cve_id(\"CVE-2019-8287\", \"CVE-2019-15678\", \"CVE-2019-15679\", \"CVE-2019-15680\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-11-12 09:30:57 +0000 (Tue, 12 Nov 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-11-08 12:29:11 +0530 (Fri, 08 Nov 2019)\");\n script_name(\"TightVNC Remote Code Execution and Denial of Service Vulnerabilities (Linux)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with TightVNC\n and is prone to code execution and denial of service vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - A heap buffer overflow in InitialiseRFBConnection function.\n\n - A null pointer dereference in HandleZlibBPP function.\n\n - A global buffer overflow in HandleCoRREBBP macro function.\n\n - A heap buffer overflow in rfbServerCutText handler.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers\n to execute arbitrary code and cause denial of service condition.\");\n\n script_tag(name:\"affected\", value:\"TightVNC version 1.3.10.\");\n\n script_tag(name:\"solution\", value:\"No known solution is available as of 08th November, 2019.\n Information regarding this issue will be updated once solution details are available.\");\n\n script_tag(name:\"solution_type\", value:\"NoneAvailable\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://www.openwall.com/lists/oss-security/2018/12/10/5\");\n script_xref(name:\"URL\", value:\"https://www.tightvnc.com\");\n\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"secpod_tightvnc_detect_lin.nasl\");\n script_mandatory_keys(\"TightVNC/Linux/Ver\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif( ! infos = get_app_version_and_location( cpe:CPE, exit_no_version:TRUE ) ) exit( 0 );\n\nvers = infos['version'];\npath = infos['location'];\nif(vers == \"1.3.10\")\n{\n report = report_fixed_ver(installed_version:vers, fixed_version:\"NoneAvailable\", install_path:path);\n security_message(data:report);\n exit( 0 );\n}\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-13T19:20:47", "description": "This host is installed with TightVNC\n and is prone to code execution and denial of service vulnerabilities.", "cvss3": {}, "published": "2019-11-08T00:00:00", "type": "openvas", "title": "TightVNC Remote Code Execution and Denial of Service Vulnerabilities (Windows)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-8287", "CVE-2019-15678", "CVE-2019-15680", "CVE-2019-15679"], "modified": "2019-11-12T00:00:00", "id": "OPENVAS:1361412562310815832", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815832", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:tightvnc:tightvnc\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815832\");\n script_version(\"2019-11-12T09:30:57+0000\");\n script_cve_id(\"CVE-2019-8287\", \"CVE-2019-15678\", \"CVE-2019-15679\", \"CVE-2019-15680\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-11-12 09:30:57 +0000 (Tue, 12 Nov 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-11-08 11:29:08 +0530 (Fri, 08 Nov 2019)\");\n script_name(\"TightVNC Remote Code Execution and Denial of Service Vulnerabilities (Windows)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with TightVNC\n and is prone to code execution and denial of service vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - A heap buffer overflow in InitialiseRFBConnection function.\n\n - A null pointer dereference in HandleZlibBPP function.\n\n - A global buffer overflow in HandleCoRREBBP macro function.\n\n - A heap buffer overflow in rfbServerCutText handler.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers\n to execute arbitrary code and cause denial of service condition.\");\n\n script_tag(name:\"affected\", value:\"TightVNC version 1.3.10\");\n\n script_tag(name:\"solution\", value:\"No known solution is available as of 08th November, 2019.\n Information regarding this issue will be updated once solution details are available.\");\n\n script_tag(name:\"solution_type\", value:\"NoneAvailable\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"https://www.openwall.com/lists/oss-security/2018/12/10/5\");\n script_xref(name:\"URL\", value:\"https://www.tightvnc.com\");\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"secpod_tightvnc_detect_win.nasl\");\n script_mandatory_keys(\"TightVNC/Win/Ver\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\n\nif( ! infos = get_app_version_and_location( cpe:CPE, exit_no_version:TRUE ) ) exit( 0 );\n\nvers = infos['version'];\npath = infos['location'];\n\nif(vers == \"1.3.10\")\n{\n report = report_fixed_ver(installed_version:vers, fixed_version:\"NoneAvailable\", install_path:path);\n security_message(data:report);\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-29T19:24:33", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-12-22T00:00:00", "type": "openvas", "title": "Debian LTS: Security Advisory for tightvnc (DLA-2045-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-20022", "CVE-2019-8287", "CVE-2018-20020", "CVE-2019-15681", "CVE-2018-7225", "CVE-2018-20021", "CVE-2014-6053", "CVE-2019-15678", "CVE-2019-15680", "CVE-2019-15679", "CVE-2018-20748"], "modified": "2020-01-29T00:00:00", "id": "OPENVAS:1361412562310892045", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310892045", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.892045\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2014-6053\", \"CVE-2018-20020\", \"CVE-2018-20021\", \"CVE-2018-20022\", \"CVE-2018-20748\", \"CVE-2018-7225\", \"CVE-2019-15678\", \"CVE-2019-15679\", \"CVE-2019-15680\", \"CVE-2019-15681\", \"CVE-2019-8287\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-12-22 03:00:17 +0000 (Sun, 22 Dec 2019)\");\n script_name(\"Debian LTS: Security Advisory for tightvnc (DLA-2045-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2019/12/msg00028.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-2045-1\");\n script_xref(name:\"URL\", value:\"https://bugs.debian.org/945364\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'tightvnc'\n package(s) announced via the DLA-2045-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Several vulnerabilities have recently been discovered in TightVNC 1.x, an\nX11 based VNC server/viewer application for Windows and Unix.\n\nCVE-2014-6053\n\nThe rfbProcessClientNormalMessage function in rfbserver.c in TightVNC\nserver did not properly handle attempts to send a large amount of\nClientCutText data, which allowed remote attackers to cause a denial\nof service (memory consumption or daemon crash) via a crafted message\nthat was processed by using a single unchecked malloc.\n\nCVE-2018-7225\n\nrfbProcessClientNormalMessage() in rfbserver.c did not sanitize\nmsg.cct.length, leading to access to uninitialized and potentially\nsensitive data or possibly unspecified other impact (e.g., an integer\noverflow) via specially crafted VNC packets.\n\nCVE-2019-8287\n\nTightVNC code contained global buffer overflow in HandleCoRREBBP\nmacro function, which could potentially have result in code\nexecution. This attack appeared to be exploitable via network\nconnectivity.\n\n(aka CVE-2018-20020/libvncserver)\n\nCVE-2018-20021\n\nTightVNC in vncviewer/rfbproto.c contained a CWE-835: Infinite loop\nvulnerability. The vulnerability allowed an attacker to consume\nan excessive amount of resources like CPU and RAM.\n\nCVE-2018-20022\n\nTightVNC's vncviewer contained multiple weaknesses CWE-665: Improper\nInitialization vulnerability in VNC client code that allowed\nattackers to read stack memory and could be abused for information\ndisclosure. Combined with another vulnerability, it could be used to\nleak stack memory layout and in bypassing ASLR.\n\nCVE-2019-15678\n\nTightVNC code version contained heap buffer overflow in\nrfbServerCutText handler, which could have potentially resulted in\ncode execution. This attack appeared to be exploitable via network\nconnectivity.\n\n(partially aka CVE-2018-20748/libvnvserver)\n\nCVE-2019-15679\n\nTightVNC's vncviewer code contained a heap buffer overflow in\nInitialiseRFBConnection function, which could have potentially\nresulted in code execution. This attack appeared to be exploitable\nvia network connectivity.\n\n(partially aka CVE-2018-20748/libvnvserver)\n\nCVE-2019-15680\n\nTightVNC's vncviewer code contained a null pointer dereference in\nHandleZlibBPP function, which could have resulted in Denial of System\n(DoS). This attack appeared to be exploitable via network\nconnectivity.\n\nCVE-2019-15681\n\nTightVNC contained a memory leak (CWE-655) in VNC server code, which\nallowed an attacker to read stack memory and could have been abused\nfor information disclosure. Combined with another vulnerability, it\ncould have been used to leak stack memory and bypass ASLR. This\nattack appeared to be exploitable via network connectivity.\");\n\n script_tag(name:\"affected\", value:\"'tightvnc' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these problems have been fixed in version\n1.3.9-6.5+deb8u1.\n\nWe recommend that you upgrade your tightvnc packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"tightvncserver\", ver:\"1.3.9-6.5+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"xtightvncviewer\", ver:\"1.3.9-6.5+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-07-21T20:03:01", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2020-07-03T00:00:00", "type": "openvas", "title": "Ubuntu: Security Advisory for libvncserver (USN-4407-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-18922", "CVE-2019-15681", "CVE-2019-20788", "CVE-2019-15680", "CVE-2019-15690"], "modified": "2020-07-09T00:00:00", "id": "OPENVAS:1361412562310844487", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310844487", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.844487\");\n script_version(\"2020-07-09T12:15:58+0000\");\n script_cve_id(\"CVE-2019-15680\", \"CVE-2019-15681\", \"CVE-2019-15690\", \"CVE-2019-20788\", \"CVE-2017-18922\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-07-09 12:15:58 +0000 (Thu, 09 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-07-03 03:01:49 +0000 (Fri, 03 Jul 2020)\");\n script_name(\"Ubuntu: Security Advisory for libvncserver (USN-4407-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=(UBUNTU19\\.10|UBUNTU18\\.04 LTS|UBUNTU16\\.04 LTS|UBUNTU20\\.04 LTS)\");\n\n script_xref(name:\"USN\", value:\"4407-1\");\n script_xref(name:\"URL\", value:\"https://lists.ubuntu.com/archives/ubuntu-security-announce/2020-July/005495.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'libvncserver'\n package(s) announced via the USN-4407-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"It was discovered that LibVNCServer incorrectly handled decompressing\ndata. An\nattacker could possibly use this issue to cause LibVNCServer to crash,\nresulting in a denial of service. (CVE-2019-15680)\n\nIt was discovered that an information disclosure vulnerability existed in\nLibVNCServer when sending a ServerCutText message. An attacker could\npossibly\nuse this issue to expose sensitive information. This issue only affected\nUbuntu 19.10, Ubuntu 18.04 LTS, and Ubuntu 16.04 LTS. (CVE-2019-15681)\n\nIt was discovered that LibVNCServer incorrectly handled cursor shape\nupdates.\nIf a user were tricked in to connecting to a malicious server, an attacker\ncould possibly use this issue to cause LibVNCServer to crash, resulting in a\ndenial of service, or possibly execute arbitrary code. This issue only\naffected Ubuntu 19.10, Ubuntu 18.04 LTS, and Ubuntu 16.04 LTS.\n(CVE-2019-15690, CVE-2019-20788)\n\nIt was discovered that LibVNCServer incorrectly handled decoding WebSocket\nframes. An attacker could possibly use this issue to cause LibVNCServer to\ncrash, resulting in a denial of service, or possibly execute arbitrary code.\nThis issue only affected Ubuntu 19.10, Ubuntu 18.04 LTS, and Ubuntu\n16.04 LTS.\n(CVE-2017-18922)\");\n\n script_tag(name:\"affected\", value:\"'libvncserver' package(s) on Ubuntu 20.04 LTS, Ubuntu 19.10, Ubuntu 18.04 LTS, Ubuntu 16.04 LTS.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"UBUNTU19.10\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"libvncclient1\", ver:\"0.9.11+dfsg-1.3ubuntu0.1\", rls:\"UBUNTU19.10\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"libvncserver1\", ver:\"0.9.11+dfsg-1.3ubuntu0.1\", rls:\"UBUNTU19.10\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"UBUNTU18.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"libvncclient1\", ver:\"0.9.11+dfsg-1ubuntu1.2\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"libvncserver1\", ver:\"0.9.11+dfsg-1ubuntu1.2\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"UBUNTU16.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"libvncclient1\", ver:\"0.9.10+dfsg-3ubuntu0.16.04.4\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"libvncserver1\", ver:\"0.9.10+dfsg-3ubuntu0.16.04.4\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"UBUNTU20.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"libvncclient1\", ver:\"0.9.12+dfsg-9ubuntu0.1\", rls:\"UBUNTU20.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"libvncserver1\", ver:\"0.9.12+dfsg-9ubuntu0.1\", rls:\"UBUNTU20.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2023-06-13T16:08:15", "description": "\n\nMITRE reports:\n\nTightVNC code version 1.3.10 contains global buffer overflow in HandleCoRREBBP macro function, which can potentially result code execution. This attack appear to be exploitable via network connectivity.\n\n\nTightVNC code version 1.3.10 contains global buffer overflow in HandleCoRREBBP macro function, which can potentially result code execution. This attack appear to be exploitable via network connectivity.\n\n\nTightVNC code version 1.3.10 contains heap buffer overflow in InitialiseRFBConnection function, which can potentially result code execution. This attack appear to be exploitable via network connectivity.\n\n\nTightVNC code version 1.3.10 contains null pointer dereference in HandleZlibBPP function, which results Denial of System (DoS). This attack appear to be exploitable via network connectivity.\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-02-12T00:00:00", "type": "freebsd", "title": "TightVNC -- Muliple Vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15678", "CVE-2019-15679", "CVE-2019-15680", "CVE-2019-8287"], "modified": "2019-02-12T00:00:00", "id": "B34C1947-A749-11ED-B24B-1C61B4739AC9", "href": "https://vuxml.freebsd.org/freebsd/b34c1947-a749-11ed-b24b-1c61b4739ac9.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "osv": [{"lastseen": "2022-08-05T05:18:41", "description": "\nSeveral vulnerabilities have recently been discovered in TightVNC 1.x, an\nX11 based VNC server/viewer application for Windows and Unix.\n\n\n* [CVE-2014-6053](https://security-tracker.debian.org/tracker/CVE-2014-6053)\nThe rfbProcessClientNormalMessage function in rfbserver.c in TightVNC\n server did not properly handle attempts to send a large amount of\n ClientCutText data, which allowed remote attackers to cause a denial\n of service (memory consumption or daemon crash) via a crafted message\n that was processed by using a single unchecked malloc.\n* [CVE-2018-7225](https://security-tracker.debian.org/tracker/CVE-2018-7225)\nrfbProcessClientNormalMessage() in rfbserver.c did not sanitize\n msg.cct.length, leading to access to uninitialized and potentially\n sensitive data or possibly unspecified other impact (e.g., an integer\n overflow) via specially crafted VNC packets.\n* [CVE-2019-8287](https://security-tracker.debian.org/tracker/CVE-2019-8287)\nTightVNC code contained global buffer overflow in HandleCoRREBBP\n macro function, which could potentially have result in code\n execution. This attack appeared to be exploitable via network\n connectivity.\n\n\n(aka [CVE-2018-20020](https://security-tracker.debian.org/tracker/CVE-2018-20020)/libvncserver)\n* [CVE-2018-20021](https://security-tracker.debian.org/tracker/CVE-2018-20021)\nTightVNC in vncviewer/rfbproto.c contained a CWE-835: Infinite loop\n vulnerability. The vulnerability allowed an attacker to consume\n an excessive amount of resources like CPU and RAM.\n* [CVE-2018-20022](https://security-tracker.debian.org/tracker/CVE-2018-20022)\nTightVNC's vncviewer contained multiple weaknesses CWE-665: Improper\n Initialization vulnerability in VNC client code that allowed\n attackers to read stack memory and could be abused for information\n disclosure. Combined with another vulnerability, it could be used to\n leak stack memory layout and in bypassing ASLR.\n* [CVE-2019-15678](https://security-tracker.debian.org/tracker/CVE-2019-15678)\nTightVNC code version contained heap buffer overflow in\n rfbServerCutText handler, which could have potentially resulted in\n code execution. This attack appeared to be exploitable via network\n connectivity.\n\n\n(partially aka [CVE-2018-20748](https://security-tracker.debian.org/tracker/CVE-2018-20748)/libvnvserver)\n* [CVE-2019-15679](https://security-tracker.debian.org/tracker/CVE-2019-15679)\nTightVNC's vncviewer code contained a heap buffer overflow in\n InitialiseRFBConnection function, which could have potentially\n resulted in code execution. This attack appeared to be exploitable\n via network connectivity.\n\n\n(partially aka [CVE-2018-20748](https://security-tracker.debian.org/tracker/CVE-2018-20748)/libvnvserver)\n* [CVE-2019-15680](https://security-tracker.debian.org/tracker/CVE-2019-15680)\nTightVNC's vncviewer code contained a null pointer dereference in\n HandleZlibBPP function, which could have resulted in Denial of System\n (DoS). This attack appeared to be exploitable via network\n connectivity.\n* [CVE-2019-15681](https://security-tracker.debian.org/tracker/CVE-2019-15681)\nTightVNC contained a memory leak (CWE-655) in VNC server code, which\n allowed an attacker to read stack memory and could have been abused\n for information disclosure. Combined with another vulnerability, it\n could have been used to leak stack memory and bypass ASLR. This\n attack appeared to be exploitable via network connectivity.\n\n\nFor Debian 8 Jessie, these problems have been fixed in version\n1.3.9-6.5+deb8u1.\n\n\nWe recommend that you upgrade your tightvnc packages.\n\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: <https://wiki.debian.org/LTS>\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-12-21T00:00:00", "type": "osv", "title": "tightvnc - security update", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-20022", "CVE-2019-8287", "CVE-2018-20020", "CVE-2019-15681", "CVE-2018-7225", "CVE-2018-20021", "CVE-2014-6053", "CVE-2019-15678", "CVE-2019-15680", "CVE-2019-15679", "CVE-2018-20748"], "modified": "2022-08-05T05:18:40", "id": "OSV:DLA-2045-1", "href": "https://osv.dev/vulnerability/DLA-2045-1", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "debian": [{"lastseen": "2021-10-22T11:36:31", "description": "Package : tightvnc\nVersion : 1.3.9-6.5+deb8u1\nCVE ID : CVE-2014-6053 CVE-2018-7225 CVE-2019-8287 CVE-2018-20021 \n CVE-2018-20022 CVE-2019-15678 CVE-2019-15679 CVE-2019-15680 \n CVE-2019-15681\nDebian Bug : 945364\n\n\nSeveral vulnerabilities have recently been discovered in TightVNC 1.x, an\nX11 based VNC server/viewer application for Windows and Unix.\n\nCVE-2014-6053\n\n The rfbProcessClientNormalMessage function in rfbserver.c in TightVNC\n server did not properly handle attempts to send a large amount of\n ClientCutText data, which allowed remote attackers to cause a denial\n of service (memory consumption or daemon crash) via a crafted message\n that was processed by using a single unchecked malloc.\n\nCVE-2018-7225\n\n rfbProcessClientNormalMessage() in rfbserver.c did not sanitize\n msg.cct.length, leading to access to uninitialized and potentially\n sensitive data or possibly unspecified other impact (e.g., an integer\n overflow) via specially crafted VNC packets.\n\nCVE-2019-8287\n\n TightVNC code contained global buffer overflow in HandleCoRREBBP\n macro function, which could potentially have result in code\n execution. This attack appeared to be exploitable via network\n connectivity.\n\n (aka CVE-2018-20020/libvncserver)\n\nCVE-2018-20021\n\n TightVNC in vncviewer/rfbproto.c contained a CWE-835: Infinite loop\n vulnerability. The vulnerability allowed an attacker to consume\n an excessive amount of resources like CPU and RAM.\n\nCVE-2018-20022\n\n TightVNC's vncviewer contained multiple weaknesses CWE-665: Improper\n Initialization vulnerability in VNC client code that allowed\n attackers to read stack memory and could be abused for information\n disclosure. Combined with another vulnerability, it could be used to\n leak stack memory layout and in bypassing ASLR.\n\nCVE-2019-15678\n\n TightVNC code version contained heap buffer overflow in\n rfbServerCutText handler, which could have potentially resulted in\n code execution. This attack appeared to be exploitable via network\n connectivity.\n\n (partially aka CVE-2018-20748/libvnvserver)\n\nCVE-2019-15679\n\n TightVNC's vncviewer code contained a heap buffer overflow in\n InitialiseRFBConnection function, which could have potentially\n resulted in code execution. This attack appeared to be exploitable\n via network connectivity.\n\n (partially aka CVE-2018-20748/libvnvserver)\n\nCVE-2019-15680\n\n TightVNC's vncviewer code contained a null pointer dereference in\n HandleZlibBPP function, which could have resulted in Denial of System\n (DoS). This attack appeared to be exploitable via network\n connectivity.\n\nCVE-2019-15681\n\n TightVNC contained a memory leak (CWE-655) in VNC server code, which\n allowed an attacker to read stack memory and could have been abused\n for information disclosure. Combined with another vulnerability, it\n could have been used to leak stack memory and bypass ASLR. This\n attack appeared to be exploitable via network connectivity.\n\nFor Debian 8 "Jessie", these problems have been fixed in version\n1.3.9-6.5+deb8u1.\n\nWe recommend that you upgrade your tightvnc packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n\n-- \n\nmike gabriel aka sunweaver (Debian Developer)\nfon: +49 (1520) 1976 148\n\nGnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31\nmail: sunweaver@debian.org, http://sunweavers.net\n\nAttachment:\nsignature.asc\nDescription: PGP signature\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-12-21T16:03:14", "type": "debian", "title": "[SECURITY] [DLA 2045-1] tightvnc security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6053", "CVE-2018-20020", "CVE-2018-20021", "CVE-2018-20022", "CVE-2018-20748", "CVE-2018-7225", "CVE-2019-15678", "CVE-2019-15679", "CVE-2019-15680", "CVE-2019-15681", "CVE-2019-8287"], "modified": "2019-12-21T16:03:14", "id": "DEBIAN:DLA-2045-1:908CE", "href": "https://lists.debian.org/debian-lts-announce/2019/12/msg00028.html", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-03-19T17:56:06", "description": "Package : tightvnc\nVersion : 1.3.9-6.5+deb8u1\nCVE ID : CVE-2014-6053 CVE-2018-7225 CVE-2019-8287 CVE-2018-20021 \n CVE-2018-20022 CVE-2019-15678 CVE-2019-15679 CVE-2019-15680 \n CVE-2019-15681\nDebian Bug : 945364\n\n\nSeveral vulnerabilities have recently been discovered in TightVNC 1.x, an\nX11 based VNC server/viewer application for Windows and Unix.\n\nCVE-2014-6053\n\n The rfbProcessClientNormalMessage function in rfbserver.c in TightVNC\n server did not properly handle attempts to send a large amount of\n ClientCutText data, which allowed remote attackers to cause a denial\n of service (memory consumption or daemon crash) via a crafted message\n that was processed by using a single unchecked malloc.\n\nCVE-2018-7225\n\n rfbProcessClientNormalMessage() in rfbserver.c did not sanitize\n msg.cct.length, leading to access to uninitialized and potentially\n sensitive data or possibly unspecified other impact (e.g., an integer\n overflow) via specially crafted VNC packets.\n\nCVE-2019-8287\n\n TightVNC code contained global buffer overflow in HandleCoRREBBP\n macro function, which could potentially have result in code\n execution. This attack appeared to be exploitable via network\n connectivity.\n\n (aka CVE-2018-20020/libvncserver)\n\nCVE-2018-20021\n\n TightVNC in vncviewer/rfbproto.c contained a CWE-835: Infinite loop\n vulnerability. The vulnerability allowed an attacker to consume\n an excessive amount of resources like CPU and RAM.\n\nCVE-2018-20022\n\n TightVNC's vncviewer contained multiple weaknesses CWE-665: Improper\n Initialization vulnerability in VNC client code that allowed\n attackers to read stack memory and could be abused for information\n disclosure. Combined with another vulnerability, it could be used to\n leak stack memory layout and in bypassing ASLR.\n\nCVE-2019-15678\n\n TightVNC code version contained heap buffer overflow in\n rfbServerCutText handler, which could have potentially resulted in\n code execution. This attack appeared to be exploitable via network\n connectivity.\n\n (partially aka CVE-2018-20748/libvnvserver)\n\nCVE-2019-15679\n\n TightVNC's vncviewer code contained a heap buffer overflow in\n InitialiseRFBConnection function, which could have potentially\n resulted in code execution. This attack appeared to be exploitable\n via network connectivity.\n\n (partially aka CVE-2018-20748/libvnvserver)\n\nCVE-2019-15680\n\n TightVNC's vncviewer code contained a null pointer dereference in\n HandleZlibBPP function, which could have resulted in Denial of System\n (DoS). This attack appeared to be exploitable via network\n connectivity.\n\nCVE-2019-15681\n\n TightVNC contained a memory leak (CWE-655) in VNC server code, which\n allowed an attacker to read stack memory and could have been abused\n for information disclosure. Combined with another vulnerability, it\n could have been used to leak stack memory and bypass ASLR. This\n attack appeared to be exploitable via network connectivity.\n\nFor Debian 8 "Jessie", these problems have been fixed in version\n1.3.9-6.5+deb8u1.\n\nWe recommend that you upgrade your tightvnc packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n\n-- \n\nmike gabriel aka sunweaver (Debian Developer)\nfon: +49 (1520) 1976 148\n\nGnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31\nmail: sunweaver@debian.org, http://sunweavers.net\n\nAttachment:\nsignature.asc\nDescription: PGP signature\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-21T16:03:14", "type": "debian", "title": "[SECURITY] [DLA 2045-1] tightvnc security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-6053", "CVE-2018-20020", "CVE-2018-20021", "CVE-2018-20022", "CVE-2018-20748", "CVE-2018-7225", "CVE-2019-15678", "CVE-2019-15679", "CVE-2019-15680", "CVE-2019-15681", "CVE-2019-8287"], "modified": "2019-12-21T16:03:14", "id": "DEBIAN:DLA-2045-1:3847F", "href": "https://lists.debian.org/debian-lts-announce/2019/12/msg00028.html", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "debiancve": [{"lastseen": "2023-06-13T18:14:05", "description": "TightVNC code version 1.3.10 contains heap buffer overflow in InitialiseRFBConnection function, which can potentially result code execution. This attack appear to be exploitable via network connectivity.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-10-29T19:15:00", "type": "debiancve", "title": "CVE-2019-15679", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15679"], "modified": "2019-10-29T19:15:00", "id": "DEBIANCVE:CVE-2019-15679", "href": "https://security-tracker.debian.org/tracker/CVE-2019-15679", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-13T18:11:53", "description": "TightVNC code version 1.3.10 contains null pointer dereference in HandleZlibBPP function, which results Denial of System (DoS). This attack appear to be exploitable via network connectivity.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-10-29T19:15:00", "type": "debiancve", "title": "CVE-2019-15680", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15680"], "modified": "2019-10-29T19:15:00", "id": "DEBIANCVE:CVE-2019-15680", "href": "https://security-tracker.debian.org/tracker/CVE-2019-15680", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-13T18:14:05", "description": "TightVNC code version 1.3.10 contains heap buffer overflow in rfbServerCutText handler, which can potentially result code execution.. This attack appear to be exploitable via network connectivity.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-10-29T19:15:00", "type": "debiancve", "title": "CVE-2019-15678", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15678"], "modified": "2019-10-29T19:15:00", "id": "DEBIANCVE:CVE-2019-15678", "href": "https://security-tracker.debian.org/tracker/CVE-2019-15678", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-13T18:14:05", "description": "TightVNC code version 1.3.10 contains global buffer overflow in HandleCoRREBBP macro function, which can potentially result code execution. This attack appear to be exploitable via network connectivity.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-10-29T19:15:00", "type": "debiancve", "title": "CVE-2019-8287", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-8287"], "modified": "2019-10-29T19:15:00", "id": "DEBIANCVE:CVE-2019-8287", "href": "https://security-tracker.debian.org/tracker/CVE-2019-8287", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2023-06-13T14:44:40", "description": "TightVNC code version 1.3.10 contains heap buffer overflow in InitialiseRFBConnection function, which can potentially result code execution. This attack appear to be exploitable via network connectivity.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-10-29T19:15:00", "type": "cve", "title": "CVE-2019-15679", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15679"], "modified": "2020-12-09T17:15:00", "cpe": ["cpe:/a:tightvnc:tightvnc:1.3.10"], "id": "CVE-2019-15679", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-15679", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:tightvnc:tightvnc:1.3.10:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-13T14:44:41", "description": "TightVNC code version 1.3.10 contains null pointer dereference in HandleZlibBPP function, which results Denial of System (DoS). This attack appear to be exploitable via network connectivity.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-10-29T19:15:00", "type": "cve", "title": "CVE-2019-15680", "cwe": ["CWE-476"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15680"], "modified": "2020-12-09T17:15:00", "cpe": ["cpe:/a:tightvnc:tightvnc:1.3.10"], "id": "CVE-2019-15680", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-15680", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:tightvnc:tightvnc:1.3.10:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-13T14:44:40", "description": "TightVNC code version 1.3.10 contains heap buffer overflow in rfbServerCutText handler, which can potentially result code execution.. This attack appear to be exploitable via network connectivity.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-10-29T19:15:00", "type": "cve", "title": "CVE-2019-15678", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15678"], "modified": "2020-12-09T17:15:00", "cpe": ["cpe:/a:tightvnc:tightvnc:1.3.10"], "id": "CVE-2019-15678", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-15678", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:tightvnc:tightvnc:1.3.10:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-13T15:27:09", "description": "TightVNC code version 1.3.10 contains global buffer overflow in HandleCoRREBBP macro function, which can potentially result code execution. This attack appear to be exploitable via network connectivity.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-10-29T19:15:00", "type": "cve", "title": "CVE-2019-8287", "cwe": ["CWE-120"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-8287"], "modified": "2020-12-09T17:15:00", "cpe": ["cpe:/a:tightvnc:tightvnc:1.3.10"], "id": "CVE-2019-8287", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-8287", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:tightvnc:tightvnc:1.3.10:*:*:*:*:*:*:*"]}, {"lastseen": "2022-12-28T19:19:24", "description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2019-15679. Reason: This candidate is a duplicate of CVE-2019-15679. Notes: All CVE users should reference CVE-2019-15679 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.", "cvss3": {}, "published": "2022-01-26T21:15:00", "type": "cve", "title": "CVE-2022-23967", "cwe": [], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2019-15679", "CVE-2022-23967"], "modified": "2022-12-28T17:15:00", "cpe": [], "id": "CVE-2022-23967", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23967", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": []}], "ubuntucve": [{"lastseen": "2023-07-28T04:22:41", "description": "TightVNC code version 1.3.10 contains null pointer dereference in\nHandleZlibBPP function, which results Denial of System (DoS). This attack\nappear to be exploitable via network connectivity.\n\n#### Bugs\n\n * <https://github.com/LibVNC/libvncserver/issues/359>\n\n\n#### Notes\n\nAuthor| Note \n---|--- \n[mdeslaur](<https://launchpad.net/~mdeslaur>) | per upstream, this is a non-issue in libvncserver as checks are already done in zlib, see: https://github.com/LibVNC/libvncserver/issues/359#issuecomment-599133529 for completeness, the fix was added to focal and earlier releases, but will not be added to groovy+\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-10-29T00:00:00", "type": "ubuntucve", "title": "CVE-2019-15680", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15680"], "modified": "2019-10-29T00:00:00", "id": "UB:CVE-2019-15680", "href": "https://ubuntu.com/security/CVE-2019-15680", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-08-09T18:30:37", "description": "TightVNC code version 1.3.10 contains global buffer overflow in\nHandleCoRREBBP macro function, which can potentially result code execution.\nThis attack appear to be exploitable via network connectivity.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-10-29T00:00:00", "type": "ubuntucve", "title": "CVE-2019-8287", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-8287"], "modified": "2019-10-29T00:00:00", "id": "UB:CVE-2019-8287", "href": "https://ubuntu.com/security/CVE-2019-8287", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-09T18:30:51", "description": "TightVNC code version 1.3.10 contains heap buffer overflow in\nInitialiseRFBConnection function, which can potentially result code\nexecution. This attack appear to be exploitable via network connectivity.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[mdeslaur](<https://launchpad.net/~mdeslaur>) | this CVE is for tightvnc, the equivalent flaw was CVE-2018-20748 in libvncserver\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-10-29T00:00:00", "type": "ubuntucve", "title": "CVE-2019-15679", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-20748", "CVE-2019-15679"], "modified": "2019-10-29T00:00:00", "id": "UB:CVE-2019-15679", "href": "https://ubuntu.com/security/CVE-2019-15679", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-07-28T04:25:55", "description": "TightVNC code version 1.3.10 contains heap buffer overflow in\nrfbServerCutText handler, which can potentially result code execution..\nThis attack appear to be exploitable via network connectivity.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[mdeslaur](<https://launchpad.net/~mdeslaur>) | this CVE is for tightvnc, the equivalent flaw was CVE-2018-20019 in libvncserver\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-10-29T00:00:00", "type": "ubuntucve", "title": "CVE-2019-15678", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-20019", "CVE-2019-15678"], "modified": "2019-10-29T00:00:00", "id": "UB:CVE-2019-15678", "href": "https://ubuntu.com/security/CVE-2019-15678", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T12:38:19", "description": "An integer overflow vulnerability exists in TightVNC vncviewer. This vulnerability is due to improper handling of ServerCutText messages. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-03-01T00:00:00", "type": "checkpoint_advisories", "title": "TightVNC Integer Overflow (CVE-2019-15678)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-15678"], "modified": "2020-03-01T00:00:00", "id": "CPAI-2019-1750", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntu": [{"lastseen": "2023-06-23T15:36:40", "description": "## Releases\n\n * Ubuntu 20.04 LTS\n * Ubuntu 19.10 \n * Ubuntu 18.04 ESM\n * Ubuntu 16.04 ESM\n\n## Packages\n\n * libvncserver \\- vnc server library\n\nIt was discovered that LibVNCServer incorrectly handled decompressing data. An \nattacker could possibly use this issue to cause LibVNCServer to crash, \nresulting in a denial of service. (CVE-2019-15680)\n\nIt was discovered that an information disclosure vulnerability existed in \nLibVNCServer when sending a ServerCutText message. An attacker could possibly \nuse this issue to expose sensitive information. This issue only affected \nUbuntu 19.10, Ubuntu 18.04 LTS, and Ubuntu 16.04 LTS. (CVE-2019-15681)\n\nIt was discovered that LibVNCServer incorrectly handled cursor shape updates. \nIf a user were tricked in to connecting to a malicious server, an attacker \ncould possibly use this issue to cause LibVNCServer to crash, resulting in a \ndenial of service, or possibly execute arbitrary code. This issue only \naffected Ubuntu 19.10, Ubuntu 18.04 LTS, and Ubuntu 16.04 LTS. \n(CVE-2019-15690, CVE-2019-20788)\n\nIt was discovered that LibVNCServer incorrectly handled decoding WebSocket \nframes. An attacker could possibly use this issue to cause LibVNCServer to \ncrash, resulting in a denial of service, or possibly execute arbitrary code. \nThis issue only affected Ubuntu 19.10, Ubuntu 18.04 LTS, and Ubuntu 16.04 LTS. \n(CVE-2017-18922)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-01T00:00:00", "type": "ubuntu", "title": "LibVNCServer vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-18922", "CVE-2019-15680", "CVE-2019-15681", "CVE-2019-15690", "CVE-2019-20788"], "modified": "2020-07-01T00:00:00", "id": "USN-4407-1", "href": "https://ubuntu.com/security/notices/USN-4407-1", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2020-10-15T22:28:33", "description": "The open-source Virtual Network Computing (VNC) project, often found in industrial environments, is plagued with 37 different memory-corruption vulnerabilities \u2013 many of which are critical in severity and some of which could result in remote code execution (RCE). According to researchers at Kaspersky, they potentially affect 600,000 web-accessible servers in systems that use the code.\n\nThe research looked into four popular VNC-based systems, LibVNC, UltraVNC, TightVNC1.X and TurboVNC, which are actively used in automated industrial facilities to enable remote control of systems, according to the firm. Approximately 32 percent of industrial network computers having some form of [remote administration tools](<https://threatpost.com/trickbot-remote-desktop/141879/>), including VNC.\n\n\u201cThe prevalence of such systems in general, and particularly ones that are vulnerable, is a significant issue for the industrial sector as potential damages can bring significant losses through disruption of complex production processes,\u201d Kaspersky researchers wrote in an analysis of the bugs for ICS CERT, [released Friday](<https://ics-cert.kaspersky.com/reports/2019/11/22/vnc-vulnerability-research/>).\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nKasperksy found vulnerabilities not only in the client, but also on the server-side of the system; many of the latter however can only be exploited after password authentication. Across all 37 bugs, there are two main attack vectors, the firm said: \u201cAn attacker is on the same network with the VNC server and attacks it to gain the ability to execute code on the server with the server\u2019s privileges; [or] a user connects to an attacker\u2019s \u2018server\u2019 using a VNC client and the attacker exploits vulnerabilities in the client to attack the user and execute code on the user\u2019s machine.\u201d\n\nA significant number of the problems detailed in the research were found and reported last year; however, each of the projects examined also had newly discovered bugs.\n\nFor instance, a newly found critical (9.8 out of 10 on the CVSS v.3 severity rating scale) database stack buffer overflow vulnerability in the TurboVNC server code could result in RCE. The issue ([CVE-2019-15683](<https://nvd.nist.gov/vuln/detail/CVE-2019-15683>)) exists because the stack frame is not protected with a stack canary. However, to exploit the bug, authorization on the server is required.\n\n\u201cSome compilers perform\u2026optimizations by removing stack canary checks from the functions that don\u2019t have explicitly allocated arrays,\u201d according to the research. \u201cHowever, the compiler could make a mistake and fail to check for the presence of a buffer in some of the structures on the stack or in switch-case statements.\u201d\n\nAlso, a critical integer-overflow vulnerability ([CVE-2018-15361](<https://nvd.nist.gov/vuln/detail/CVE-2018-15361>)) exists in UltraVNC client-side code. This is also critical, with a CVSS rating of 9.8 out of 10, and can be exploited to cause a denial-of-service state. Researchers also \u201cwouldn\u2019t rule out that experts in exploiting the Windows userland heap could turn this vulnerability into an RCE if they wanted to.\u201d\n\n\u201cIf an integer overflow occurs when allocating m_desktopName and the buffer is allocated on the regular heap of the process, this will make it possible to write the null byte to the previous chunk,\u201d according to the research. \u201cIf an integer overflow does not occur and the system has sufficient memory, a large buffer will be allocated, with a new heap allocated for it. With the right parameters, a remote attacker would be able to write a null byte to the _NT_HEAP structure, which will be located directly before a huge chunk.\u201d\n\nMeanwhile, the [CVE-2019-8262](<https://nvd.nist.gov/vuln/detail/CVE-2019-8262>) critical vulnerability (with a CVSS score of 9.8 out of 10) was identified in the handler of data encoded using the UltraVNC encoding function that could cause information disclosure.\n\n\u201cThe uninitialized variable new_len is passed to the lzo1x_decompress function,\u201d according to the research. \u201cAt the time of calling the function, the variable should be equal to the length of the m_zlibbuf buffer\u2026since the variable new_len was not initialized, it contained a large text section address value. This made it possible for a remote user to pass specially crafted data to the decompression function as inputs to ensure that the function, when writing to the m_zlibbuf buffer, would write the data beyond the buffer\u2019s boundary, resulting in heap overflow.\u201d\n\nIn TightVNC code version 1.3.10, there\u2019s a critical global buffer overflow ([CVE-2019-8287](<https://nvd.nist.gov/vuln/detail/CVE-2019-8287#vulnCurrentDescriptionTitle>)) in HandleCoRREBBP macro function, also with a CVSS rating of 9.8 out of 10. This can also potentially result RCE, Kaspersky found.\n\nResearchers also recently found a high-severity flaw in LibVNC ([CVE-2019-15681](<https://nvd.nist.gov/vuln/detail/CVE-2019-15681>)), with a CVSS rating of 7.7 out of 10. It involves a memory leak exploitable via network connectivity in the VNC server code, which allows an attacker to read stack memory and can be abused for information disclosure. According to the advisory, combined with another vulnerability, it can be used to leak stack memory and bypass ASLR.\n\nWorryingly, some of the bugs had been incorporated into the VNC code for years, meaning that projects built on it have \u201cinherited\u201d the issues.\n\n\u201cI was surprised to see the simplicity of discovered vulnerabilities, especially considering their significant lifetime,\u201d said Pavel Cheremushkin, Kaspersky ICS CERT vulnerability researcher, in a media statement. \u201cThis means that attackers could have noticed and taken advantage of the vulnerabilities a long time ago. Moreover, some classes of vulnerabilities are present in many open-source projects and remain there even after refactoring of the [main] codebase.\u201d\n\nKaspersky contacted the affected developers, and patches have been issued for supported products, it said. TightVNC for instance has discontinued the development of the TightVNC 1.X line and considers it end of life, so the bugs won\u2019t be patched.\n\n_**Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demand **_[_**Threatpost webinar**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=post>)_**, \u201cTrends in Fortune 1000 Breach Exposure\u201d to hear advice from breach expert Chip Witt of SpyCloud. **_[_**Click here to register**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=post>)_**.**_\n", "cvss3": {}, "published": "2019-11-22T19:50:14", "type": "threatpost", "title": "Critical Flaws in VNC Threaten Industrial Environments", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-15361", "CVE-2019-15681", "CVE-2019-15683", "CVE-2019-8262", "CVE-2019-8287", "CVE-2020-5135"], "modified": "2019-11-22T19:50:14", "id": "THREATPOST:8F6E27B46891F0167D7799A73F1A9380", "href": "https://threatpost.com/critical-flaws-vnc-industrial/150568/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}

Siemens Products using TightVNC (Update A)

Description

Related