LibVNCServer CVE-2018-20019 Multiple Heap Buffer Overflow Vulnerabilities

Bugtraq ID:	106821
Class:	Input Validation Error
CVE:	CVE-2018-20019
Remote:	Yes
Local:	No
Published:	Dec 19 2018 12:00AM
Updated:	Dec 19 2018 12:00AM
Credit:	Pavel Cheremushkin
Vulnerable:	Ubuntu Ubuntu Linux 18.10 Ubuntu Ubuntu Linux 18.04 LTS Ubuntu Ubuntu Linux 16.04 LTS Ubuntu Ubuntu Linux 14.04 LTS Redhat Enterprise Linux 7 Redhat Enterprise Linux 6 + Trustix Secure Enterprise Linux 2.0 + Trustix Secure Linux 2.2 + Trustix Secure Linux 2.1 + Trustix Secure Linux 2.0 LibVNCServer LibVNCServer 0.9.11 LibVNCServer LibVNCServer 0.9.10 LibVNCServer LibVNCServer 0.9.9 LibVNCServer LibVNCServer 0.9.8
Not Vulnerable:	LibVNCServer LibVNCServer 0.9.12

LibVNCServer CVE-2018-20019 Multiple Heap Buffer Overflow Vulnerabilities

LibVNCServer is prone to an multiple heap-based buffer-overflow vulnerabilities.

Attackers can exploit these issues to execute arbitrary code within the context of the user running the affected application. Failed attempts will likely cause a denial-of-service condition.

Versions prior to LibVNCServer 0.9.12 are vulnerable.

LibVNCServer CVE-2018-20019 Multiple Heap Buffer Overflow Vulnerabilities

Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

LibVNCServer CVE-2018-20019 Multiple Heap Buffer Overflow Vulnerabilities

Solution:
Updates are available. Please see the references or vendor advisory for more information.

LibVNCServer CVE-2018-20019 Multiple Heap Buffer Overflow Vulnerabilities

References:

• LibVNCClient: fix three possible heap buffer overflows (libvncserver)
  
• LibVNCServer Homepage (Libvnc)
  
• Bug 1661114 (CVE-2018-20019) - CVE-2018-20019 libvncserver: Multiple heap out-o (Redhat)
  
• USN-3877-1: LibVNCServer vulnerabilities ()
  
• CVE-2018-20019 ()
  
• KLCERT-18-029: LibVNC Multiple Heap Out-of-Bound Vulnerabilities ()