Full Report
TigerVNC version prior to 1.10.1 is vulnerable to stack use-after-return, which occurs due to incorrect usage of stack memory in ZRLEDecoder. If decoding routine would throw an exception, ZRLEDecoder may try to access stack variable, which has been already freed during the process of stack unwinding. Exploitation of this vulnerability could potentially result into remote []
Analysis Summary
# Vulnerability: Stack Use-After-Return in TigerVNC ZRLEDecoder
This summary details a critical vulnerability found in older versions of TigerVNC related to memory handling during ZRLE decoding.
## CVE Details
- CVE ID: CVE-2019-15691
- CVSS Score: 9.0 (According to the provided CVSS vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, which translates to High severity, though the summary template requires a numerical/text score; based on the vector details: **Critical**)
- CWE: Insufficient Validation of Destroyed Objects (Related to Use-After-Free/Return)
## Affected Systems
- Products: TigerVNC
- Versions: Prior to 1.10.1
- Configurations: Any configuration running the affected versions is susceptible when handling specially crafted ZRLE data.
## Vulnerability Description
The vulnerability is a **stack use-after-return** flaw residing within the `ZRLEDecoder` component of TigerVNC. This issue stems from incorrect stack memory management. If an exception is thrown during the ZRLE decoding routine, the decoder may subsequently attempt to access a stack variable that has already been freed during the stack unwinding process. Successful exploitation can lead to remote code execution (RCE).
## Exploitation
- Status: PoC available (The CVSS vector includes $E:P$ - Proof-of-Concept code exists)
- Complexity: Low (Attack complexity is listed as Low in the vector: AC:L)
- Attack Vector: Network (AV:N)
## Impact
- Confidentiality: High ($C:H$)
- Integrity: High ($I:H$)
- Availability: High ($A:H$)
## Remediation
### Patches
- Update TigerVNC to version **1.10.1 or later**.
### Workarounds
- No explicit vendor-supplied workarounds were detailed other than patching. Limiting network access to the VNC service can reduce the attack surface.
## Detection
- Since the vulnerability concerns arbitrary code execution based on malformed ZRLE data received over the network, detection would focus on inspecting incoming VNC traffic payloads for anomalies or known exploit patterns targeting the ZRLE decoding routine.
- **Detection methods and tools:** Intrusion Detection Systems (IDS)/Intrusion Prevention Systems (IPS) configured to monitor VNC protocol sessions (typically TCP port 5900 onwards) for suspicious data sequences.
## References
- Vendor advisory: Vendor released a patch in December 2019.
- ICS CERT Advisory: hxxps://ics-cert.kaspersky.com/advisories/2020/03/23/klcert-20-005-remote-code-execution-on-tigervnc-version-prior-to-1-10-1/