Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 538
Alerts This Week
Warning Icon 1 538

Debian 8 DLA-1617-1: Critical Libvncserver Remote Code Threat

debian lts
Calendar Grey December 27, 2018
Dist Debian Esm H88
Package : libvncserver Version : 0.9.9+dfsg2-6.1+deb8u4 CVE ID : CVE-2018-6307 CVE-2018-15127 CVE-20
Kaspersky Lab discovered several vulnerabilities in libvncserver, a C library to implement VNC server/client functionalities

Summary

Kaspersky Lab discovered several vulnerabilities in libvncserver, a C
library to implement VNC server/client functionalities.

CVE-2018-6307

a heap use-after-free vulnerability in the server code of the file
transfer extension, which can result in remote code execution. This
attack appears to be exploitable via network connectivity.

CVE-2018-15127

contains a heap out-of-bound write vulnerability in the server code
of the file transfer extension, which can result in remote code
execution. This attack appears to be exploitable via network
connectivity.

CVE-2018-20019

multiple heap out-of-bound write vulnerabilities in VNC client code,
which can result in remote code execution.

CVE-2018-20020

heap out-of-bound write vulnerability in a structure in VNC client
code, which can result in remote code execution.

CVE-2018-20021

CWE-835: Infinite Loop vulnerability in VNC client code. The
vulnerability could allow an attacker to consume an excessive amount

Read the Full Advisory


Severity
critical
Lowest
Low
Medium
High
Critical

Package: libvncserver
Version: 0.9.9+dfsg2-6.1+deb8u4
CVE ID: CVE-2018-6307 CVE-2018-15127 CVE-2018-20019
Debian Bug: 916941

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.