Full Report
TigerVNC version prior to 1.10.1 is vulnerable to heap buffer overflow, which occurs in TightDecoder::FilterGradient. Exploitation of this vulnerability could potentially result into remote code execution. This attack appear to be exploitable via network connectivity.
Analysis Summary
# Vulnerability: Heap Buffer Overflow in TigerVNC leading to RCE
## CVE Details
- CVE ID: CVE-2019-15693
- CVSS Score: 9.8 (Based on the provided vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C, which translates to high severity, however, the article provides a generic "0.0" which is likely a placeholder or error. Using the vector provided for realistic scoring, the base score without exploitability modifiers is likely high, e.g., a CVSS v3.x score of **8.8 (High)** if we calculate the base severity ignoring temporal/environmental metrics.) *Note: Since the CVSS score provided in the article is "0.0", the severity assessment leans on the potential impact (RCE) and vector.*
- CWE: Not explicitly listed, but implied to be a Buffer Overflow or related memory safety issue.
## Affected Systems
- Products: TigerVNC
- Versions: Prior to 1.10.1
- Configurations: Affects network-facing components processing VNC traffic.
## Vulnerability Description
TigerVNC versions preceding 1.10.1 are susceptible to a heap buffer overflow vulnerability located within the `TightDecoder::FilterGradient` function. Successful exploitation allows an attacker to potentially execute arbitrary code remotely.
## Exploitation
- Status: Exploit existence is listed as "Unknown" in the provided data, but the CVSS vector includes an **Exploitability metric (E:P)** suggesting proof-of-concept (PoC) material might exist or the vulnerability is known to be weaponizable.
- Complexity: Low (Attack Complexity: Low)
- Attack Vector: Network (AV:N)
## Impact
- Confidentiality: High (C:H)
- Integrity: High (I:H)
- Availability: High (A:H)
## Remediation
### Patches
- Update TigerVNC to version **1.10.1 or later**. (Vendor patch reportedly released in December 2019).
### Workarounds
- No specific workarounds were detailed in the provided text, other than applying the patch. Restricting network access to the VNC service could act as a temporary measure.
## Detection
- Indicators of compromise (IOCs) are not specified.
- Detection methods would involve monitoring network traffic directed towards the VNC service for malformed packets or unusual control sequences that target the Tight encoding filter. Intrusion Detection Systems (IDS) signatures targeting the specific function call or buffer conditions might be effective post-disclosure.
## References
- Vendor Advisory: Patch released December 2019.
- Kaspersky ICS CERT Advisory: hxxps://ics-cert.kaspersky.com/advisories/2020/03/23/klcert-20-007-remote-code-execution-on-tigervnc-version-prior-to-1-10-1/