PT-2014-2017 · Libvncserver+5 · Libvncserver+5

Nicolas Ruff

Published

2014-09-24

Updated

2020-10-23

CVE-2014-6052

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions LibVNCServer versions 0.9.9 and earlier

Description The issue is related to the HandleRFBServerMessage function in LibVNCServer, which is associated with an error in designating the full screen. Exploitation of this issue may allow a remote attacker to access confidential data, compromise its integrity, and cause a denial of service. The vulnerability can be triggered by a remote VNC server specifying a large screen size in certain messages, potentially leading to application crashes or arbitrary code execution.

Recommendations For LibVNCServer versions 0.9.9 and earlier, consider disabling the HandleRFBServerMessage function as a temporary workaround until a patch is available. Restrict access to the LibVNCServer library to minimize the risk of exploitation. Avoid using the library with untrusted VNC servers until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

DoS

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

ALT-PU-2015-1418

BDU:2020-00582

CESA-2014_1826

CVE-2014-6052

DLA-197-1

DLA-1979-1

DSA-3081-1

MGASA-2014-0397

RHSA-2014:1826

RHSA-2014_1826

SUSE-SU-2015:2088-1

SUSE-SU-2015:2088-2

SUSE-SU-2015:2110-1

USN-2365-1

USN-4587-1

Affected Products

Alt Linux

Centos

Libvncserver

Red Hat

Suse

Ubuntu

PT-2014-2017 · Libvncserver+5 · Libvncserver+5

CVE-2014-6052

Weakness Enumeration

Related Identifiers

Affected Products

References · 160