ID CVE-2019-15695
Summary TigerVNC version prior to 1.10.1 is vulnerable to stack buffer overflow, which could be triggered from CMsgReader::readSetCursor. This vulnerability occurs due to insufficient sanitization of PixelFormat. Since remote attacker can choose offset from start of the buffer to start writing his values, exploitation of this vulnerability could potentially result into remote code execution. This attack appear to be exploitable via network connectivity.
References
Vulnerable Configurations
  • cpe:2.3:a:tigervnc:tigervnc:-:*:*:*:*:*:*:*
    cpe:2.3:a:tigervnc:tigervnc:-:*:*:*:*:*:*:*
  • cpe:2.3:a:tigervnc:tigervnc:0.0.90:*:*:*:*:*:*:*
    cpe:2.3:a:tigervnc:tigervnc:0.0.90:*:*:*:*:*:*:*
  • cpe:2.3:a:tigervnc:tigervnc:0.0.91:*:*:*:*:*:*:*
    cpe:2.3:a:tigervnc:tigervnc:0.0.91:*:*:*:*:*:*:*
  • cpe:2.3:a:tigervnc:tigervnc:1.0:*:*:*:*:*:*:*
    cpe:2.3:a:tigervnc:tigervnc:1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:tigervnc:tigervnc:1.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:tigervnc:tigervnc:1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:tigervnc:tigervnc:1.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:tigervnc:tigervnc:1.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:tigervnc:tigervnc:1.0.90:*:*:*:*:*:*:*
    cpe:2.3:a:tigervnc:tigervnc:1.0.90:*:*:*:*:*:*:*
  • cpe:2.3:a:tigervnc:tigervnc:1.1:beta1:*:*:*:*:*:*
    cpe:2.3:a:tigervnc:tigervnc:1.1:beta1:*:*:*:*:*:*
  • cpe:2.3:a:tigervnc:tigervnc:1.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:tigervnc:tigervnc:1.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:tigervnc:tigervnc:1.1.90:*:*:*:*:*:*:*
    cpe:2.3:a:tigervnc:tigervnc:1.1.90:*:*:*:*:*:*:*
  • cpe:2.3:a:tigervnc:tigervnc:1.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:tigervnc:tigervnc:1.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:tigervnc:tigervnc:1.2.90:*:*:*:*:*:*:*
    cpe:2.3:a:tigervnc:tigervnc:1.2.90:*:*:*:*:*:*:*
  • cpe:2.3:a:tigervnc:tigervnc:1.3:*:*:*:*:*:*:*
    cpe:2.3:a:tigervnc:tigervnc:1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:tigervnc:tigervnc:1.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:tigervnc:tigervnc:1.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:tigervnc:tigervnc:1.3.90:*:*:*:*:*:*:*
    cpe:2.3:a:tigervnc:tigervnc:1.3.90:*:*:*:*:*:*:*
  • cpe:2.3:a:tigervnc:tigervnc:1.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:tigervnc:tigervnc:1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:tigervnc:tigervnc:1.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:tigervnc:tigervnc:1.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:tigervnc:tigervnc:1.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:tigervnc:tigervnc:1.4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:tigervnc:tigervnc:1.4.3:*:*:*:*:*:*:*
    cpe:2.3:a:tigervnc:tigervnc:1.4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:tigervnc:tigervnc:1.4.90:*:*:*:*:*:*:*
    cpe:2.3:a:tigervnc:tigervnc:1.4.90:*:*:*:*:*:*:*
  • cpe:2.3:a:tigervnc:tigervnc:1.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:tigervnc:tigervnc:1.5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:tigervnc:tigervnc:1.5.90:*:*:*:*:*:*:*
    cpe:2.3:a:tigervnc:tigervnc:1.5.90:*:*:*:*:*:*:*
  • cpe:2.3:a:tigervnc:tigervnc:1.6.0:*:*:*:*:*:*:*
    cpe:2.3:a:tigervnc:tigervnc:1.6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:tigervnc:tigervnc:1.6.90:*:*:*:*:*:*:*
    cpe:2.3:a:tigervnc:tigervnc:1.6.90:*:*:*:*:*:*:*
  • cpe:2.3:a:tigervnc:tigervnc:1.7:*:*:*:*:*:*:*
    cpe:2.3:a:tigervnc:tigervnc:1.7:*:*:*:*:*:*:*
  • cpe:2.3:a:tigervnc:tigervnc:1.7.1:*:*:*:*:*:*:*
    cpe:2.3:a:tigervnc:tigervnc:1.7.1:*:*:*:*:*:*:*
  • cpe:2.3:a:tigervnc:tigervnc:1.7.90:*:*:*:*:*:*:*
    cpe:2.3:a:tigervnc:tigervnc:1.7.90:*:*:*:*:*:*:*
  • cpe:2.3:a:tigervnc:tigervnc:1.8.0:*:*:*:*:*:*:*
    cpe:2.3:a:tigervnc:tigervnc:1.8.0:*:*:*:*:*:*:*
  • cpe:2.3:a:tigervnc:tigervnc:1.8.90:*:*:*:*:*:*:*
    cpe:2.3:a:tigervnc:tigervnc:1.8.90:*:*:*:*:*:*:*
  • cpe:2.3:a:tigervnc:tigervnc:1.9.0:*:*:*:*:*:*:*
    cpe:2.3:a:tigervnc:tigervnc:1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:tigervnc:tigervnc:1.9.90:*:*:*:*:*:*:*
    cpe:2.3:a:tigervnc:tigervnc:1.9.90:*:*:*:*:*:*:*
  • cpe:2.3:a:tigervnc:tigervnc:1.10.0:*:*:*:*:*:*:*
    cpe:2.3:a:tigervnc:tigervnc:1.10.0:*:*:*:*:*:*:*
  • cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
    cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
CVSS
Base: 6.5 (as of 16-10-2020 - 20:00)
Impact:
Exploitability:
CWE CWE-754
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW SINGLE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:S/C:P/I:P/A:P
redhat via4
advisories
  • bugzilla
    id 1790318
    title CVE-2019-15695 tigervnc: Stack buffer overflow in CMsgReader::readSetCursor
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 8 is installed
        oval oval:com.redhat.rhba:tst:20193384074
      • OR
        • AND
          • comment tigervnc is earlier than 0:1.9.0-14.el8_1
            oval oval:com.redhat.rhsa:tst:20201497001
          • comment tigervnc is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20110871002
        • AND
          • comment tigervnc-debugsource is earlier than 0:1.9.0-14.el8_1
            oval oval:com.redhat.rhsa:tst:20201497003
          • comment tigervnc-debugsource is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20201497004
        • AND
          • comment tigervnc-icons is earlier than 0:1.9.0-14.el8_1
            oval oval:com.redhat.rhsa:tst:20201497005
          • comment tigervnc-icons is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20152233004
        • AND
          • comment tigervnc-license is earlier than 0:1.9.0-14.el8_1
            oval oval:com.redhat.rhsa:tst:20201497007
          • comment tigervnc-license is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20152233006
        • AND
          • comment tigervnc-server is earlier than 0:1.9.0-14.el8_1
            oval oval:com.redhat.rhsa:tst:20201497009
          • comment tigervnc-server is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20110871004
        • AND
          • comment tigervnc-server-applet is earlier than 0:1.9.0-14.el8_1
            oval oval:com.redhat.rhsa:tst:20201497011
          • comment tigervnc-server-applet is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20110871006
        • AND
          • comment tigervnc-server-minimal is earlier than 0:1.9.0-14.el8_1
            oval oval:com.redhat.rhsa:tst:20201497013
          • comment tigervnc-server-minimal is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20152233012
        • AND
          • comment tigervnc-server-module is earlier than 0:1.9.0-14.el8_1
            oval oval:com.redhat.rhsa:tst:20201497015
          • comment tigervnc-server-module is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20110871008
    rhsa
    id RHSA-2020:1497
    released 2020-04-16
    severity Moderate
    title RHSA-2020:1497: tigervnc security update (Moderate)
  • bugzilla
    id 1826822
    title TigerVNC exits at startup
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 7 is installed
        oval oval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • comment tigervnc is earlier than 0:1.8.0-21.el7
            oval oval:com.redhat.rhsa:tst:20203875001
          • comment tigervnc is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20110871002
        • AND
          • comment tigervnc-icons is earlier than 0:1.8.0-21.el7
            oval oval:com.redhat.rhsa:tst:20203875003
          • comment tigervnc-icons is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20152233004
        • AND
          • comment tigervnc-license is earlier than 0:1.8.0-21.el7
            oval oval:com.redhat.rhsa:tst:20203875005
          • comment tigervnc-license is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20152233006
        • AND
          • comment tigervnc-server is earlier than 0:1.8.0-21.el7
            oval oval:com.redhat.rhsa:tst:20203875007
          • comment tigervnc-server is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20110871004
        • AND
          • comment tigervnc-server-applet is earlier than 0:1.8.0-21.el7
            oval oval:com.redhat.rhsa:tst:20203875009
          • comment tigervnc-server-applet is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20110871006
        • AND
          • comment tigervnc-server-minimal is earlier than 0:1.8.0-21.el7
            oval oval:com.redhat.rhsa:tst:20203875011
          • comment tigervnc-server-minimal is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20152233012
        • AND
          • comment tigervnc-server-module is earlier than 0:1.8.0-21.el7
            oval oval:com.redhat.rhsa:tst:20203875013
          • comment tigervnc-server-module is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20110871008
    rhsa
    id RHSA-2020:3875
    released 2020-09-29
    severity Moderate
    title RHSA-2020:3875: tigervnc security and bug fix update (Moderate)
rpms
  • tigervnc-0:1.9.0-14.el8_1
  • tigervnc-debuginfo-0:1.9.0-14.el8_1
  • tigervnc-debugsource-0:1.9.0-14.el8_1
  • tigervnc-icons-0:1.9.0-14.el8_1
  • tigervnc-license-0:1.9.0-14.el8_1
  • tigervnc-server-0:1.9.0-14.el8_1
  • tigervnc-server-applet-0:1.9.0-14.el8_1
  • tigervnc-server-debuginfo-0:1.9.0-14.el8_1
  • tigervnc-server-minimal-0:1.9.0-14.el8_1
  • tigervnc-server-minimal-debuginfo-0:1.9.0-14.el8_1
  • tigervnc-server-module-0:1.9.0-14.el8_1
  • tigervnc-server-module-debuginfo-0:1.9.0-14.el8_1
  • tigervnc-0:1.8.0-21.el7
  • tigervnc-debuginfo-0:1.8.0-21.el7
  • tigervnc-icons-0:1.8.0-21.el7
  • tigervnc-license-0:1.8.0-21.el7
  • tigervnc-server-0:1.8.0-21.el7
  • tigervnc-server-applet-0:1.8.0-21.el7
  • tigervnc-server-minimal-0:1.8.0-21.el7
  • tigervnc-server-module-0:1.8.0-21.el7
refmap via4
misc
mlist [oss-security] 20191220 VNC vulnerabilities. TigerVNC security update
suse openSUSE-SU-2020:0087
Last major update 16-10-2020 - 20:00
Published 26-12-2019 - 16:15
Last modified 16-10-2020 - 20:00
Back to Top