ID CVE-2019-20788
Summary libvncclient/cursor.c in LibVNCServer through 0.9.12 has a HandleCursorShape integer overflow and heap-based buffer overflow via a large height or width value. NOTE: this may overlap CVE-2019-15690.
References
Vulnerable Configurations
  • cpe:2.3:a:libvnc_project:libvncserver:0.9.12:*:*:*:*:*:*:*
    cpe:2.3:a:libvnc_project:libvncserver:0.9.12:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  • cpe:2.3:o:siemens:simatic_itc1500_firmware:3.0.0.0:*:*:*:*:*:*:*
    cpe:2.3:o:siemens:simatic_itc1500_firmware:3.0.0.0:*:*:*:*:*:*:*
  • cpe:2.3:h:siemens:simatic_itc1500:-:*:*:*:*:*:*:*
    cpe:2.3:h:siemens:simatic_itc1500:-:*:*:*:*:*:*:*
  • cpe:2.3:o:siemens:simatic_itc1500_pro_firmware:3.0.0.0:*:*:*:*:*:*:*
    cpe:2.3:o:siemens:simatic_itc1500_pro_firmware:3.0.0.0:*:*:*:*:*:*:*
  • cpe:2.3:h:siemens:simatic_itc1500_pro:-:*:*:*:*:*:*:*
    cpe:2.3:h:siemens:simatic_itc1500_pro:-:*:*:*:*:*:*:*
  • cpe:2.3:o:siemens:simatic_itc1900_firmware:3.0.0.0:*:*:*:*:*:*:*
    cpe:2.3:o:siemens:simatic_itc1900_firmware:3.0.0.0:*:*:*:*:*:*:*
  • cpe:2.3:h:siemens:simatic_itc1900:-:*:*:*:*:*:*:*
    cpe:2.3:h:siemens:simatic_itc1900:-:*:*:*:*:*:*:*
  • cpe:2.3:o:siemens:simatic_itc1900_pro_firmware:3.0.0.0:*:*:*:*:*:*:*
    cpe:2.3:o:siemens:simatic_itc1900_pro_firmware:3.0.0.0:*:*:*:*:*:*:*
  • cpe:2.3:h:siemens:simatic_itc1900_pro:-:*:*:*:*:*:*:*
    cpe:2.3:h:siemens:simatic_itc1900_pro:-:*:*:*:*:*:*:*
  • cpe:2.3:o:siemens:simatic_itc2200_firmware:3.0.0.0:*:*:*:*:*:*:*
    cpe:2.3:o:siemens:simatic_itc2200_firmware:3.0.0.0:*:*:*:*:*:*:*
  • cpe:2.3:h:siemens:simatic_itc2200:-:*:*:*:*:*:*:*
    cpe:2.3:h:siemens:simatic_itc2200:-:*:*:*:*:*:*:*
  • cpe:2.3:o:siemens:simatic_itc2200_pro_firmware:3.0.0.0:*:*:*:*:*:*:*
    cpe:2.3:o:siemens:simatic_itc2200_pro_firmware:3.0.0.0:*:*:*:*:*:*:*
  • cpe:2.3:h:siemens:simatic_itc2200_pro:-:*:*:*:*:*:*:*
    cpe:2.3:h:siemens:simatic_itc2200_pro:-:*:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 10-03-2022 - 14:54)
Impact:
Exploitability:
CWE CWE-190
CAPEC
  • Forced Integer Overflow
    This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
redhat via4
advisories
  • bugzilla
    id 1811948
    title CVE-2019-15690 libvncserver: HandleCursorShape() integer overflow resulting in heap-based buffer overflow
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 7 is installed
        oval oval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • comment libvncserver is earlier than 0:0.9.9-14.el7_7
            oval oval:com.redhat.rhsa:tst:20200913001
          • comment libvncserver is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20141826002
        • AND
          • comment libvncserver-devel is earlier than 0:0.9.9-14.el7_7
            oval oval:com.redhat.rhsa:tst:20200913003
          • comment libvncserver-devel is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20141826004
    rhsa
    id RHSA-2020:0913
    released 2020-03-23
    severity Important
    title RHSA-2020:0913: libvncserver security update (Important)
  • bugzilla
    id 1811948
    title CVE-2019-15690 libvncserver: HandleCursorShape() integer overflow resulting in heap-based buffer overflow
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 8 is installed
        oval oval:com.redhat.rhba:tst:20193384074
      • OR
        • AND
          • comment libvncserver is earlier than 0:0.9.11-9.el8_1.2
            oval oval:com.redhat.rhsa:tst:20200920001
          • comment libvncserver is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20141826002
        • AND
          • comment libvncserver-debugsource is earlier than 0:0.9.11-9.el8_1.2
            oval oval:com.redhat.rhsa:tst:20200920003
          • comment libvncserver-debugsource is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20200920004
        • AND
          • comment libvncserver-devel is earlier than 0:0.9.11-9.el8_1.2
            oval oval:com.redhat.rhsa:tst:20200920005
          • comment libvncserver-devel is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20141826004
    rhsa
    id RHSA-2020:0920
    released 2020-03-23
    severity Important
    title RHSA-2020:0920: libvncserver security update (Important)
rpms
  • libvncserver-0:0.9.9-14.el7_7
  • libvncserver-debuginfo-0:0.9.9-14.el7_7
  • libvncserver-devel-0:0.9.9-14.el7_7
  • libvncserver-0:0.9.11-9.el8_1.2
  • libvncserver-debuginfo-0:0.9.11-9.el8_1.2
  • libvncserver-debugsource-0:0.9.11-9.el8_1.2
  • libvncserver-devel-0:0.9.11-9.el8_1.2
  • libvncserver-0:0.9.11-9.el8_0.2
  • libvncserver-debuginfo-0:0.9.11-9.el8_0.2
  • libvncserver-debugsource-0:0.9.11-9.el8_0.2
refmap via4
misc https://github.com/LibVNC/libvncserver/commit/54220248886b5001fbbb9fa73c4e1a2cb9413fed
suse openSUSE-SU-2020:0624
ubuntu USN-4407-1
Last major update 10-03-2022 - 14:54
Published 23-04-2020 - 19:15
Last modified 10-03-2022 - 14:54
Back to Top