TightVNC code version 1.3.10 contains null pointer dereference in HandleZlibBPP function, which results Denial of System (DoS). This attack appear to be exploitable via network connectivity.
Weakness
The product dereferences a pointer that it expects to be valid but is NULL.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Tightvnc | Tightvnc | 1.3.10 (including) | 1.3.10 (including) |
| Libvncserver | Ubuntu | bionic | * |
| Libvncserver | Ubuntu | disco | * |
| Libvncserver | Ubuntu | eoan | * |
| Libvncserver | Ubuntu | esm-infra/bionic | * |
| Libvncserver | Ubuntu | esm-infra/focal | * |
| Libvncserver | Ubuntu | esm-infra/xenial | * |
| Libvncserver | Ubuntu | focal | * |
| Libvncserver | Ubuntu | trusty | * |
| Libvncserver | Ubuntu | xenial | * |
| Ssvnc | Ubuntu | bionic | * |
| Ssvnc | Ubuntu | disco | * |
| Ssvnc | Ubuntu | eoan | * |
| Ssvnc | Ubuntu | focal | * |
| Ssvnc | Ubuntu | groovy | * |
| Ssvnc | Ubuntu | hirsute | * |
| Ssvnc | Ubuntu | impish | * |
| Ssvnc | Ubuntu | kinetic | * |
| Ssvnc | Ubuntu | lunar | * |
| Ssvnc | Ubuntu | mantic | * |
| Ssvnc | Ubuntu | oracular | * |
| Ssvnc | Ubuntu | plucky | * |
| Ssvnc | Ubuntu | trusty | * |
| Ssvnc | Ubuntu | xenial | * |
| Tightvnc | Ubuntu | bionic | * |
| Tightvnc | Ubuntu | disco | * |
| Tightvnc | Ubuntu | eoan | * |
| Tightvnc | Ubuntu | esm-infra-legacy/trusty | * |
| Tightvnc | Ubuntu | focal | * |
| Tightvnc | Ubuntu | groovy | * |
| Tightvnc | Ubuntu | hirsute | * |
| Tightvnc | Ubuntu | impish | * |
| Tightvnc | Ubuntu | kinetic | * |
| Tightvnc | Ubuntu | lunar | * |
| Tightvnc | Ubuntu | mantic | * |
| Tightvnc | Ubuntu | oracular | * |
| Tightvnc | Ubuntu | plucky | * |
| Tightvnc | Ubuntu | trusty | * |
| Tightvnc | Ubuntu | trusty/esm | * |
| Tightvnc | Ubuntu | xenial | * |
| Veyon | Ubuntu | disco | * |
| Veyon | Ubuntu | eoan | * |
| Veyon | Ubuntu | focal | * |
| Veyon | Ubuntu | groovy | * |
| Veyon | Ubuntu | hirsute | * |
| Veyon | Ubuntu | impish | * |
| Veyon | Ubuntu | kinetic | * |
| Veyon | Ubuntu | lunar | * |
| Veyon | Ubuntu | mantic | * |
| Veyon | Ubuntu | oracular | * |
| Veyon | Ubuntu | plucky | * |
| Veyon | Ubuntu | trusty | * |
| Vncsnapshot | Ubuntu | bionic | * |
| Vncsnapshot | Ubuntu | disco | * |
| Vncsnapshot | Ubuntu | eoan | * |
| Vncsnapshot | Ubuntu | focal | * |
| Vncsnapshot | Ubuntu | groovy | * |
| Vncsnapshot | Ubuntu | hirsute | * |
| Vncsnapshot | Ubuntu | impish | * |
| Vncsnapshot | Ubuntu | kinetic | * |
| Vncsnapshot | Ubuntu | lunar | * |
| Vncsnapshot | Ubuntu | mantic | * |
| Vncsnapshot | Ubuntu | oracular | * |
| Vncsnapshot | Ubuntu | plucky | * |
| Vncsnapshot | Ubuntu | trusty | * |
| Vncsnapshot | Ubuntu | xenial | * |
| X11vnc | Ubuntu | bionic | * |
| X11vnc | Ubuntu | disco | * |
| X11vnc | Ubuntu | eoan | * |
| X11vnc | Ubuntu | focal | * |
| X11vnc | Ubuntu | groovy | * |
| X11vnc | Ubuntu | hirsute | * |
| X11vnc | Ubuntu | impish | * |
| X11vnc | Ubuntu | kinetic | * |
| X11vnc | Ubuntu | lunar | * |
| X11vnc | Ubuntu | mantic | * |
| X11vnc | Ubuntu | trusty | * |
| X11vnc | Ubuntu | trusty/esm | * |
| X11vnc | Ubuntu | xenial | * |
Potential Mitigations
References
- https://cert-portal.siemens.com/productcert/pdf/ssa-478893.pdf
- https://lists.debian.org/debian-lts-announce/2019/12/msg00028.html
- https://us-cert.cisa.gov/ics/advisories/icsa-20-343-08
- https://usn.ubuntu.com/4407-1/
- https://www.openwall.com/lists/oss-security/2018/12/10/5
- https://cert-portal.siemens.com/productcert/pdf/ssa-478893.pdf
- https://lists.debian.org/debian-lts-announce/2019/12/msg00028.html
- https://us-cert.cisa.gov/ics/advisories/icsa-20-343-08
- https://usn.ubuntu.com/4407-1/
- https://www.openwall.com/lists/oss-security/2018/12/10/5