Full Report
LibVNC before 2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 contains multiple CWE-665: Improper Initialization weaknesses in VNC client code, which could allow an attacker to read stack memory and can be abused for information disclosure. Combined with another vulnerability, it can be used to leak stack memory layout and bypass ASLR. This vulnerability has been fixed in 2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 and later.
Analysis Summary
# Vulnerability: Multiple Memory Initialization Flaws in LibVNC Client
## CVE Details
- **CVE ID:** CVE-2018-20022
- **CVSS Score:** 5.0 (Medium) - *Note: Based on AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. The article mentions an E:P (PoC) score which adjusts the temporal score to 4.4.*
- **CWE:** CWE-665: Improper Initialization
## Affected Systems
- **Products:** LibVNCServer (specifically the VNC client code/library)
- **Versions:** All versions prior to the 0.9.12 release.
- **Configurations:** Systems utilizing LibVNC client-side functions to connect to VNC servers.
## Vulnerability Description
LibVNC contains multiple instances of improper initialization within its client-side code. When the client processes data from a VNC server, certain buffers or objects are not correctly initialized before use. This allows a malicious or compromised VNC server to send crafted responses that trigger a leak of the client's stack memory.
The primary technical impact is information disclosure. While a memory leak is significant on its own, it is especially dangerous when combined with other vulnerabilities, as it can be used to map the stack memory layout and bypass Address Space Layout Randomization (ASLR).
## Exploitation
- **Status:** Proof of Concept (PoC) available.
- **Complexity:** Low.
- **Attack Vector:** Network (Remotely exploitable; requires a user to connect a vulnerable client to a malicious VNC server).
- **User Interaction:** Required (User must initiate a connection).
## Impact
- **Confidentiality:** High (Leak of stack memory/sensitive data/ASLR layout).
- **Integrity:** None.
- **Availability:** None.
## Remediation
### Patches
- **Update to LibVNCServer 0.9.12** or newer.
- Specific commit fix: `2f5b2ad1c6c99b1ac6482c95844a84d66bb52838`.
### Workarounds
- Ensure VNC clients only connect to trusted and authenticated VNC servers.
- Disable or restrict the use of LibVNC-based client applications in environments where connections to untrusted external servers are possible.
## Detection
- **Indicators of Compromise:** Unusual data patterns in VNC traffic originating from a server that mirrors client stack data.
- **Detection Methods:**
- Static Analysis: Scan application binaries for vulnerable versions of the LibVNC library (pre-0.9.12).
- Vulnerability Scanning: Use security scanners to identify outdated instances of `libvncclient`.
## References
- **Kaspersky Advisory:** hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2018/12/19/klcert-18-032-libvnc-multiple-memory-leaks/
- **NVD Entry:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2018-20022
- **GitHub Release:** hxxps[://]github[.]com/LibVNC/libvncserver/releases/tag/LibVNCServer-0.9.12
- **CWE Definition:** hxxps[://]cwe[.]mitre[.]org/data/definitions/665[.]html