Full Report
LibVNCServer before a 0.9.12 release contains a CWE-835: Infinite Loop vulnerability in VNC client code. The vulnerability could allow an attacker to consume an excessive amount of resources, such as CPU and RAM.
Analysis Summary
# Vulnerability: LibVNCServer Infinite Loop (CWE-835)
## CVE Details
- **CVE ID:** CVE-2018-20021
- **CVSS Score:** 7.5 (High) - *Note: The source text provided a string for AV:N/A:H, typically associated with High severity, though the label indicated a calculation of 0.0 likely due to a display error in the original text.*
- **CWE:** CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')
## Affected Systems
- **Products:** LibVNCServer / LibVNCClient
- **Versions:** All versions prior to release 0.9.12
- **Configurations:** Systems utilizing the VNC client-side code (LibVNCClient) to connect to VNC servers.
## Vulnerability Description
A flaw exists in the VNC client code of LibVNCServer where the application fails to properly validate or exit specific loops during data processing. This results in an infinite loop (CWE-835). When a client connects to a specially crafted or malicious VNC server, the client-side process can enter a state of perpetual execution, consuming 100% of available CPU resources and potentially exhausting system RAM.
## Exploitation
- **Status:** PoC available
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
- **User Interaction:** Required (A user must be induced to connect their VNC client to a malicious VNC server).
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** High (Results in Denial of Service (DoS) through resource exhaustion).
## Remediation
### Patches
- **LibVNCServer 0.9.12:** Users should upgrade to version 0.9.12 or newer. The patch was officially integrated into the vendor's source code in September 2018.
### Workarounds
- No specific software workarounds are identified. Users are advised to only connect to trusted VNC servers until the patch is applied.
## Detection
- **Indicators of Compromise:** High CPU spikes (100% core usage) and rapidly increasing memory consumption by VNC client processes.
- **Detection methods and tools:** Monitoring for abnormal process behavior in client environments; use of vulnerability scanners to identify outdated versions of `libvncclient.so` or `libvncserver.a`.
## References
- Kaspersky ICS CERT Advisory: hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2018/12/19/klcert-18-031-libvnc-infinite-loop/
- NVD CVE-2018-20021: hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2018-20021
- LibVNC GitHub: hxxps[://]github[.]com/LibVNC/libvncserver/releases/tag/LibVNCServer-0.9.12