Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4771 tightvnc security update 23 December 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: tightvnc Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-15681 CVE-2019-15680 CVE-2019-15679 CVE-2019-15678 CVE-2019-8287 CVE-2019-1568 CVE-2018-20748 CVE-2018-20022 CVE-2018-20021 CVE-2018-20020 CVE-2018-7225 CVE-2014-6053 Reference: ESB-2019.4520 ESB-2019.4033 Original Bulletin: https://lists.debian.org/debian-lts-announce/2019/12/msg00028.html - --------------------------BEGIN INCLUDED TEXT-------------------- Package : tightvnc Version : 1.3.9-6.5+deb8u1 CVE ID : CVE-2014-6053 CVE-2018-7225 CVE-2019-8287 CVE-2018-20021 CVE-2018-20022 CVE-2019-15678 CVE-2019-15679 CVE-2019-15680 CVE-2019-15681 Debian Bug : 945364 Several vulnerabilities have recently been discovered in TightVNC 1.x, an X11 based VNC server/viewer application for Windows and Unix. CVE-2014-6053 The rfbProcessClientNormalMessage function in rfbserver.c in TightVNC server did not properly handle attempts to send a large amount of ClientCutText data, which allowed remote attackers to cause a denial of service (memory consumption or daemon crash) via a crafted message that was processed by using a single unchecked malloc. CVE-2018-7225 rfbProcessClientNormalMessage() in rfbserver.c did not sanitize msg.cct.length, leading to access to uninitialized and potentially sensitive data or possibly unspecified other impact (e.g., an integer overflow) via specially crafted VNC packets. CVE-2019-8287 TightVNC code contained global buffer overflow in HandleCoRREBBP macro function, which could potentially have result in code execution. This attack appeared to be exploitable via network connectivity. (aka CVE-2018-20020/libvncserver) CVE-2018-20021 TightVNC in vncviewer/rfbproto.c contained a CWE-835: Infinite loop vulnerability. The vulnerability allowed an attacker to consume an excessive amount of resources like CPU and RAM. CVE-2018-20022 TightVNC's vncviewer contained multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC client code that allowed attackers to read stack memory and could be abused for information disclosure. Combined with another vulnerability, it could be used to leak stack memory layout and in bypassing ASLR. CVE-2019-15678 TightVNC code version contained heap buffer overflow in rfbServerCutText handler, which could have potentially resulted in code execution. This attack appeared to be exploitable via network connectivity. (partially aka CVE-2018-20748/libvnvserver) CVE-2019-15679 TightVNC's vncviewer code contained a heap buffer overflow in InitialiseRFBConnection function, which could have potentially resulted in code execution. This attack appeared to be exploitable via network connectivity. (partially aka CVE-2018-20748/libvnvserver) CVE-2019-15680 TightVNC's vncviewer code contained a null pointer dereference in HandleZlibBPP function, which could have resulted in Denial of System (DoS). This attack appeared to be exploitable via network connectivity. CVE-2019-15681 TightVNC contained a memory leak (CWE-655) in VNC server code, which allowed an attacker to read stack memory and could have been abused for information disclosure. Combined with another vulnerability, it could have been used to leak stack memory and bypass ASLR. This attack appeared to be exploitable via network connectivity. For Debian 8 "Jessie", these problems have been fixed in version 1.3.9-6.5+deb8u1. We recommend that you upgrade your tightvnc packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - --=20 mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunweaver@debian.org, http://sunweavers.net - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXgAdZGaOgq3Tt24GAQgBIxAA3WJfpf/10VAwGNi7JDmHLUlnuuKLvb7e neBLbWxtbivyCzACAifKl7AW1jFBPnwgawTTa/yk2CNSbeLYwfs9r4C9jFbzMcJJ ZtKBoAEOQStNX3koY3dUTNSKbKAsLjrAWNdLM7K4Lgg6gNJdbQpagRSeYGF62nZH wWl+/vCk/P2khRaQ/9KhrU4hM9P4KEnGFA/0WDmgXtybyYn6tst0o/Ujql/jY+zh Ycnxuu+SUUxgKF1/Fb+dZu3ijS5NooDp2cFYJVXNM+Bd/QMuvHdJYPMyYfovcXi9 E74S/MGAY2uyW/OqaInJkbeBUUXBrUlSzVkCcU3/ob2CbF7q0EZK3VhgKAix6N6j asJbTfrLn9XPGUPrnA+fv14Uubnsnykn7j8ewhv/p1W+nZFXvdgaWpjyYpcMNMAr CKdEP0S+/8wk0wOvvzzTUb+3AKkPurR3zgoLYo9BXoJG2wfhIj2iRQEu4tmtty+q 39gwYBYbXrNRxkaZ3noyWxrXLZfYXL+xa87T3H2iv8ym6HF49LSmehQaS/jTLU0a 5cKZwEG8Um0n9yfsjCVz0E019KBYbz85u1dXGeJR/WycYYScx2O/6GfHvsrQ687U mgn13nUTM65iRShDzmx3r7/+5nUVFvAYu2Cqiq4Mq6XynxMGiMPCR4M0xSMP5j4+ NroOGeXNm9I= =THQH -----END PGP SIGNATURE-----