SB2019102921 - Information disclosure in LibVNC

Description

This security bulletin contains information about 1 security vulnerability.

1) Memory leak (CVE-ID: CVE-2019-15681)

The vulnerability allows a remote attacker to gain access to sensitive information on the target system.

The vulnerability exists due memory leak in VNC server code. A remote attacker can read stack memory and disclose sensitive information.

Combined with another vulnerability, it can be used to leak stack memory and bypass ASLR.

Remediation

Install update from vendor's website.

References

• https://github.com/LibVNC/libvncserver/commit/d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a
• https://ics-cert.kaspersky.com/reports/2019/11/22/vnc-vulnerability-research/
• https://lists.debian.org/debian-lts-announce/2019/10/msg00039.html
• https://lists.debian.org/debian-lts-announce/2019/10/msg00042.html