Debian Security Advisory

DLA-2045-1 tightvnc -- LTS security update

Date Reported:
21 Dec 2019
Affected Packages:
tightvnc
Vulnerable:
Yes
Security database references:
In the Debian bugtracking system: Bug 945364.
In Mitre's CVE dictionary: CVE-2014-6053, CVE-2018-7225, CVE-2019-8287, CVE-2018-20021, CVE-2018-20022, CVE-2019-15678, CVE-2019-15679, CVE-2019-15680, CVE-2019-15681.
More information:

Several vulnerabilities have recently been discovered in TightVNC 1.x, an X11 based VNC server/viewer application for Windows and Unix.

  • CVE-2014-6053

    The rfbProcessClientNormalMessage function in rfbserver.c in TightVNC server did not properly handle attempts to send a large amount of ClientCutText data, which allowed remote attackers to cause a denial of service (memory consumption or daemon crash) via a crafted message that was processed by using a single unchecked malloc.

  • CVE-2018-7225

    rfbProcessClientNormalMessage() in rfbserver.c did not sanitize msg.cct.length, leading to access to uninitialized and potentially sensitive data or possibly unspecified other impact (e.g., an integer overflow) via specially crafted VNC packets.

  • CVE-2019-8287

    TightVNC code contained global buffer overflow in HandleCoRREBBP macro function, which could potentially have result in code execution. This attack appeared to be exploitable via network connectivity.

    (aka CVE-2018-20020/libvncserver)

  • CVE-2018-20021

    TightVNC in vncviewer/rfbproto.c contained a CWE-835: Infinite loop vulnerability. The vulnerability allowed an attacker to consume an excessive amount of resources like CPU and RAM.

  • CVE-2018-20022

    TightVNC's vncviewer contained multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC client code that allowed attackers to read stack memory and could be abused for information disclosure. Combined with another vulnerability, it could be used to leak stack memory layout and in bypassing ASLR.

  • CVE-2019-15678

    TightVNC code version contained heap buffer overflow in rfbServerCutText handler, which could have potentially resulted in code execution. This attack appeared to be exploitable via network connectivity.

    (partially aka CVE-2018-20748/libvnvserver)

  • CVE-2019-15679

    TightVNC's vncviewer code contained a heap buffer overflow in InitialiseRFBConnection function, which could have potentially resulted in code execution. This attack appeared to be exploitable via network connectivity.

    (partially aka CVE-2018-20748/libvnvserver)

  • CVE-2019-15680

    TightVNC's vncviewer code contained a null pointer dereference in HandleZlibBPP function, which could have resulted in Denial of System (DoS). This attack appeared to be exploitable via network connectivity.

  • CVE-2019-15681

    TightVNC contained a memory leak (CWE-655) in VNC server code, which allowed an attacker to read stack memory and could have been abused for information disclosure. Combined with another vulnerability, it could have been used to leak stack memory and bypass ASLR. This attack appeared to be exploitable via network connectivity.

For Debian 8 Jessie, these problems have been fixed in version 1.3.9-6.5+deb8u1.

We recommend that you upgrade your tightvnc packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS