Full Report
TigerVNC version prior to 1.10.1 is vulnerable to heap buffer overflow, which could be triggered from DecodeManager::decodeRect. Vulnerability occurs due to the signdness error in processing MemOutStream. Exploitation of this vulnerability could potentially result into remote code execution. This attack appear to be exploitable via network connectivity.
Analysis Summary
# Vulnerability: Heap Buffer Overflow Leading to RCE in TigerVNC
## CVE Details
- CVE ID: CVE-2019-15694
- CVSS Score: (Based on provided metric string analysis, AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H suggests **High Impact**, but the article explicitly listed **CVSS v3.1 0.0** which is anomalous for RCE. Standard RCE exploitation without user interaction would typically score higher. For reporting consistency, will use the provided anomalous score, but note the implied severity.) **0.0** (Anomaly noted)
- CWE: (Not explicitly stated, but implied weak memory handling, likely CWE-122: Heap-based Buffer Overflow)
## Affected Systems
- Products: TigerVNC
- Versions: Prior to 1.10.1
- Configurations: N/A
## Vulnerability Description
TigerVNC versions before 1.10.1 are susceptible to a heap buffer overflow vulnerability within the `DecodeManager::decodeRect` function. The flaw stems from a **signedness error** during the processing of the `MemOutStream`. Successful exploitation allows an attacker to potentially execute arbitrary code on the target system.
## Exploitation
- Status: **Unknown** (Article states "Existence of exploit Unknown")
- Complexity: **Low** (Based on CVSS vector AV:N/AC:L/PR:N)
- Attack Vector: **Network**
## Impact
- Confidentiality: **High** (Implied by RCE potential)
- Integrity: **High** (Implied by RCE potential)
- Availability: **High** (Implied by RCE potential)
## Remediation
### Patches
- Update TigerVNC to **version 1.10.1 or later**. (Vendor released patch in December 2019)
### Workarounds
- No specific workarounds were listed in the provided advisory text beyond updating the software.
## Detection
- **Indicators of Compromise (IOCs):** Not specified, but anomalous memory operations or successful code execution attempts within the TigerVNC process should be monitored.
- **Detection Methods and Tools:** Monitor network traffic targeting VNC ports for unexpected or malformed data intended to trigger the memory corruption in the decode path. Deep packet inspection focusing on the VNC protocol payload structure related to rectangle decoding could be relevant where supported.
## References
- Vendor Advisory: TigerVNC (Implied by patch release)
- Kaspersky Advisory: hXXps://ics-cert.kaspersky.com/advisories/2020/03/23/klcert-20-323-remote-code-execution-on-tigervnc-version-prior-to-1-10-1/