Full Report
TigerVNC version prior to 1.10.1 is vulnerable to stack buffer overflow, which could be triggered from CMsgReader::readSetCursor. This vulnerability occurs due to insufficient sanitization of PixelFormat. Since remote attacker can choose offset from start of the buffer to start writing his values, exploitation of this vulnerability could potentially result into remote code execution. This attack []
Analysis Summary
# Vulnerability: Stack Buffer Overflow in TigerVNC leading to Potential RCE (CVE-2019-15695)
## CVE Details
- CVE ID: CVE-2019-15695
- CVSS Score: Not explicitly listed with a standard Base Score, but the provided CVSS string suggests a severe vulnerability (High Confidentiality, Integrity, Availability impact). *Note: The provided CVSS string `CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C` describes an operational scenario, generally pointing towards high impact.*
- CWE: Insufficient Input Validation/Sanitization (Implied by buffer overflow due to improper handling of `PixelFormat`).
## Affected Systems
- Products: TigerVNC
- Versions: Prior to 1.10.1
- Configurations: Standard VNC server configurations, exploitable over the network.
## Vulnerability Description
TigerVNC versions before 1.10.1 contain a stack buffer overflow vulnerability within the `CMsgReader::readSetCursor` function. This flaw stems from insufficient sanitization of the `PixelFormat` structure/data received during VNC communication. A remote attacker can send specially crafted data that allows them to control the offset from the start of the buffer, enabling them to write attacker-controlled values to adjacent memory regions on the stack.
## Exploitation
- Status: Exploit information exists, suggesting potential exploit development based on the severity and details provided.
- Complexity: Low (Network attack, Low Attack Complexity, No User Interaction required per CVSS vector, although the provided vector includes `UI:R` which conflictingly suggests user interaction might be needed depending on the exact scenario context not fully defined here). Assuming the core RCE is network-driven.
- Attack Vector: Network
## Impact
- Confidentiality: High
- Integrity: High
- Availability: High
## Remediation
### Patches
- Upgrade TigerVNC to version **1.10.1** or later. (Vendor patch released December 2019)
### Workarounds
- No specific vendor workarounds were documented in this summary, but general mitigation strategies (see Detection) should be employed until patching is complete.
## Detection
- Indicators of compromise (IOCs) would involve monitoring VNC connections for unusually structured or oversized messages related to cursor/pixel format setting commands intended to trigger memory corruption.
- Detection methods should focus on network traffic analysis (IDS/IPS) specifically targeting VNC port communications for anomalies in data length or structure related to `CMsgReader::readSetCursor` processing.
## References
- Vendor Advisory: TigerVNC
- KLCERT Advisory: KLCERT-20-008
- NVD Link: hxxps://nvd.nist.gov/vuln/detail/CVE-2019-15695