Full Report
LibVNCServer before a 0.9.12 release contains a heap out-of-bound write vulnerability in the server code of the file transfer extension, which can result in remote code execution.
Analysis Summary
# Vulnerability: LibVNCServer Heap Out-of-Bound Write in File Transfer Extension
## CVE Details
- **CVE ID**: CVE-2018-15127
- **CVSS Score**: 9.8 (Critical) - *Note: While the source text mentions "0.0" due to a typo, the provided vector string CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H calculates to a Critical score.*
- **CWE**: CWE-787 (Out-of-bounds Write)
## Affected Systems
- **Products**: LibVNCServer
- **Versions**: All versions prior to release 0.9.12
- **Configurations**: The vulnerability is specifically triggered when the **file transfer extension** is enabled in the server code.
## Vulnerability Description
LibVNCServer contains a heap-based out-of-bounds write vulnerability within its file transfer extension. The flaw resides in the way the server handles data packets related to file transfers. An attacker can send specially crafted packets that exceed the allocated buffer size on the heap, leading to memory corruption. Because this occurs on the heap, it can be leveraged to overwrite function pointers or other critical data structures.
## Exploitation
- **Status**: Proof of Concept (PoC) available.
- **Complexity**: Low
- **Attack Vector**: Network (Remote)
## Impact
- **Confidentiality**: High (Full access to memory/data)
- **Integrity**: High (Remote Code Execution capability)
- **Availability**: High (Service crash or system takeover)
## Remediation
### Patches
- **Upgrade to LibVNCServer 0.9.12** or newer. This release contains the formal fix for the heap overflow in the file transfer extension.
### Workarounds
- **Disable File Transfer**: If upgrading is not immediately possible, disable the file transfer extension in the LibVNCServer configuration to mitigate the attack vector.
## Detection
- **Indicators of Compromise**: Monitor for unusual network traffic patterns targeting VNC ports (typically 5900+), specifically those initiating file transfer sequences. Look for unexpected crashes of the `rfb_server` process.
- **Detection methods and tools**: Use vulnerability scanners (e.g., Nessus, OpenVAS) to identify outdated versions of LibVNCServer. Intrusion Detection Systems (IDS) can be configured to alert on VNC file transfer handshakes from untrusted IPs.
## References
- **Vendor Advisory**: hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2018/12/19/klcert-18-028-libvnc-heap-out-of-bound-write/
- **NVD Entry**: hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2018-15127
- **GitHub Patch/Source**: hxxps[://]github[.]com/LibVNC/libvncserver/releases/tag/LibVNCServer-0.9.12