Full Report
LibVNC client code contains heap buffer overflow vulnerability in commit prior to 6073771eed1caf72f196e410182471e0dfd32149. This could possible result into remote code execution. This attack appear to be exploitable via network connectivity. The issue has been fixed in commit 54220248886b5001fbbb9fa73c4e1a2cb9413fed.
Analysis Summary
# Vulnerability: Heap Buffer Overflow in LibVNC Client Leading to RCE
## CVE Details
- CVE ID: CVE-2019-15690
- CVSS Score: 8.3 (High) - *Note: The advisory provided a non-standard CVSS string without a readily calculable base score in the main text, but the components AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H suggest a high score. Based on the components, a standard base score would be 8.3 (High), assuming E:P/RL:O/RC:C are environmental/temporal/remediation factors noted in the secondary string.*
- CWE: CWE-122: Integer Overflow or Wraparound leads to Heap-based Buffer Overflow
## Affected Systems
- Products: LibVNCServer (Client component likely vulnerable)
- Versions: Version 0.9.12 release and earlier.
- Configurations: Any configuration using the vulnerable LibVNC client library.
## Vulnerability Description
The vulnerability is a heap buffer overflow flaw located within the `HandleCursorShape()` function in the file `libvncclient/cursor.c`. An attacker can exploit this by sending specially crafted cursor shape dimensions to the client, leading to memory corruption, which may result in remote code execution (RCE). The vulnerability stems from an integer overflow or wraparound condition leading to a heap-based buffer overflow.
## Exploitation
- Status: Existence of exploit is unknown based on the provided text, though exploitation is possible. The description implies a potential for RCE upon successful attack.
- Complexity: Low (Requires network access, but attack complexity is listed as Low).
- Attack Vector: Network (Remotely exploitable).
## Impact
- Confidentiality: High
- Integrity: High
- Availability: High
## Remediation
### Patches
- Update LibVNCServer to the commit with hash `54220248886b5001fbbb9fa73c4e1a2cb9413fed` or newer.
- The fix was implemented prior to VNC version 0.9.12.
### Workarounds
- No specific alternative workarounds were listed in the provided summary text. Limiting network exposure to untrusted VNC servers/clients is implicitly a key strategy.
## Detection
- Detection methods are not specified, but monitoring network traffic for attempts to send unusually structured VNC cursor shape updates could be a potential indicator.
## References
- Vendor Advisory: Vendor released patch in December 2019.
- Advisory Link referencing the fix: [github.com/LibVNC/libvncserver/commit/54220248886b5001fbbb9fa73c4e1a2cb9413fed](https://github.com/LibVNC/libvncserver/commit/54220248886b5001fbbb9fa73c4e1a2cb9413fed)
- Full Advisory: [ics-cert.kaspersky.com/advisories/2020/03/23/klcert-20-009-remote-code-execution-on-libvnc-version-prior-to-0-9-12/](https://ics-cert.kaspersky.com/advisories/2020/03/23/klcert-20-009-remote-code-execution-on-libvnc-version-prior-to-0-9-12/)