This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.EULEROS_SA-2020-1811.NASLEulerOS 2.0 SP8 : libvncserver (EulerOS-SA-2020-1811)
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
88.7%
According to the versions of the libvncserver package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :
-
An issue was discovered in LibVNCServer before 0.9.13.
libvncserver/hextile.c allows out-of-bounds access via encodings.(CVE-2020-14403) -
An issue was discovered in LibVNCServer before 0.9.13.
An improperly closed TCP connection causes an infinite loop in libvncclient/sockets.c.(CVE-2020-14398) -
An issue was discovered in LibVNCServer before 0.9.13.
libvncserver/scale.c has a pixel_value integer overflow.(CVE-2020-14401) -
An issue was discovered in LibVNCServer before 0.9.13.
libvncserver/corre.c allows out-of-bounds access via encodings.(CVE-2020-14402) -
An issue was discovered in LibVNCServer before 0.9.13.
Byte-aligned data is accessed through uint16_t pointers in libvncserver/translate.c.(CVE-2020-14400) -
An issue was discovered in LibVNCServer before 0.9.13.
libvncserver/rre.c allows out-of-bounds access via encodings.(CVE-2020-14404) -
An issue was discovered in LibVNCServer before 0.9.13.
There is an information leak (of uninitialized memory contents) in the libvncclient/rfbproto.c ConnectToRFBRepeater function.(CVE-2018-21247) -
libvncclient/sockets.c in LibVNCServer before 0.9.13 has a buffer overflow via a long socket filename.(CVE-2019-20839)
-
An issue was discovered in LibVNCServer before 0.9.13.
libvncclient/rfbproto.c does not limit TextChat size.(CVE-2020-14405) -
An issue was discovered in LibVNCServer before 0.9.13.
libvncserver/rfbregion.c has a NULL pointer dereference.(CVE-2020-14397) -
An issue was discovered in LibVNCServer before 0.9.13.
Byte-aligned data is accessed through uint32_t pointers in libvncclient/rfbproto.c.(CVE-2020-14399)
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(139141);
script_version("1.6");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/05/12");
script_cve_id(
"CVE-2018-21247",
"CVE-2019-20839",
"CVE-2020-14397",
"CVE-2020-14398",
"CVE-2020-14399",
"CVE-2020-14400",
"CVE-2020-14401",
"CVE-2020-14402",
"CVE-2020-14403",
"CVE-2020-14404",
"CVE-2020-14405"
);
script_name(english:"EulerOS 2.0 SP8 : libvncserver (EulerOS-SA-2020-1811)");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing multiple security updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the libvncserver package installed, the
EulerOS installation on the remote host is affected by the following
vulnerabilities :
- An issue was discovered in LibVNCServer before 0.9.13.
libvncserver/hextile.c allows out-of-bounds access via
encodings.(CVE-2020-14403)
- An issue was discovered in LibVNCServer before 0.9.13.
An improperly closed TCP connection causes an infinite
loop in libvncclient/sockets.c.(CVE-2020-14398)
- An issue was discovered in LibVNCServer before 0.9.13.
libvncserver/scale.c has a pixel_value integer
overflow.(CVE-2020-14401)
- An issue was discovered in LibVNCServer before 0.9.13.
libvncserver/corre.c allows out-of-bounds access via
encodings.(CVE-2020-14402)
- An issue was discovered in LibVNCServer before 0.9.13.
Byte-aligned data is accessed through uint16_t pointers
in libvncserver/translate.c.(CVE-2020-14400)
- An issue was discovered in LibVNCServer before 0.9.13.
libvncserver/rre.c allows out-of-bounds access via
encodings.(CVE-2020-14404)
- An issue was discovered in LibVNCServer before 0.9.13.
There is an information leak (of uninitialized memory
contents) in the libvncclient/rfbproto.c
ConnectToRFBRepeater function.(CVE-2018-21247)
- libvncclient/sockets.c in LibVNCServer before 0.9.13
has a buffer overflow via a long socket
filename.(CVE-2019-20839)
- An issue was discovered in LibVNCServer before 0.9.13.
libvncclient/rfbproto.c does not limit TextChat
size.(CVE-2020-14405)
- An issue was discovered in LibVNCServer before 0.9.13.
libvncserver/rfbregion.c has a NULL pointer
dereference.(CVE-2020-14397)
- An issue was discovered in LibVNCServer before 0.9.13.
Byte-aligned data is accessed through uint32_t pointers
in libvncclient/rfbproto.c.(CVE-2020-14399)
Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1811
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6adb34ca");
script_set_attribute(attribute:"solution", value:
"Update the affected libvncserver packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-14401");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2018-21247");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"patch_publication_date", value:"2020/07/30");
script_set_attribute(attribute:"plugin_publication_date", value:"2020/07/30");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libvncserver");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
script_exclude_keys("Host/EulerOS/uvp_version");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(8)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8", "EulerOS UVP " + uvp);
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
flag = 0;
pkgs = ["libvncserver-0.9.11-8.h2.eulerosv2r8"];
foreach (pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", sp:"8", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libvncserver");
}
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-21247
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20839
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14397
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14398
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14399
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14400
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14401
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14402
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14403
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14404
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14405
www.nessus.org/u?6adb34ca
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
88.7%