Full Report
LibVNCServer before a 0.9.12 release contains a heap out-of-bound write vulnerability in a structure in VNC client code, which can result in remote code execution.
Analysis Summary
# Vulnerability: LibVNCServer Heap Out-of-Bound Write
## CVE Details
- **CVE ID:** CVE-2018-20020
- **CVSS Score:** 8.8 (High) - *Calculated from vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H*
- **CWE:** CWE-787 (Out-of-bounds Write) / CWE-122 (Heap-based Buffer Overflow)
## Affected Systems
- **Products:** LibVNCServer (VNC client-side code)
- **Versions:** All versions prior to release 0.9.12
- **Configurations:** Systems utilizing the LibVNC client library to connect to VNC servers.
## Vulnerability Description
A heap-based out-of-bounds write vulnerability exists within the client-side structure of LibVNCServer. The flaw is triggered when the client library processes specifically crafted responses from a VNC server. Due to insufficient validation of data lengths or structure sizes during the handling of VNC protocol messages, an attacker-controlled server can write data past the allocated heap buffer boundaries. This memory corruption can lead to the execution of arbitrary code in the context of the application using the LibVNC library.
## Exploitation
- **Status:** Proof of Concept (PoC) available
- **Complexity:** Low
- **Attack Vector:** Network
- **User Interaction:** Required (Target user must connect their VNC client to a malicious or compromised VNC server).
## Impact
- **Confidentiality:** High (Potential for full memory access and data exfiltration)
- **Integrity:** High (Potential for remote code execution and system modification)
- **Availability:** High (Potential for application crashes or system instability)
## Remediation
### Patches
- **LibVNCServer 0.9.12:** Users should upgrade to version 0.9.12 or newer, which contains the fix for this heap overflow.
### Workarounds
- No specific software workarounds are provided. Users should avoid connecting to untrusted or unknown VNC servers until the client library has been patched.
## Detection
- **Indicators of Compromise:** Unusual application crashes when connecting to VNC servers; unexpected outbound network traffic to unrecognized IPs following a VNC session.
- **Detection methods and tools:**
- Use static analysis tools (SAST) to check for linked versions of LibVNCServer.
- Employ memory integrity monitoring (e.g., AddressSanitizer) during testing to identify illegal heap writes.
- Network IDS/IPS can be configured to monitor for anomalous VNC protocol traffic, though payload-level detection of this specific heap write may be difficult without deep packet inspection.
## References
- **NVD Entry:** hxxps://nvd.nist.gov/vuln/detail/CVE-2018-20020
- **Kaspersky ICS CERT:** hxxps://ics-cert.kaspersky[.]com/advisories/2018/12/19/klcert-18-030-libvnc-heap-out-of-bound-write/
- **LibVNC GitHub:** hxxps://github[.]com/LibVNC/libvncserver/releases/tag/LibVNCServer-0.9.12