 |
Home ▼ Bookkeeping
Online ▼ Security
Audits ▼
Managed
DNS ▼
About
Order
FAQ
Acceptable Use Policy
Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password Network
Monitor ▼
Enterprise Package
Advanced Package
Standard Package
Free Trial
FAQ
Price/Feature Summary
Order/Renew
Examples
Configure/Status Alert Profiles | ||
| Test ID: | 1.3.6.1.4.1.25623.1.0.892016 |
| Category: | Debian Local Security Checks |
| Title: | Debian: Security Advisory (DLA-2016-1) |
| Summary: | The remote host is missing an update for the Debian 'ssvnc' package(s) announced via the DLA-2016-1 advisory. |
| Description: | Summary: The remote host is missing an update for the Debian 'ssvnc' package(s) announced via the DLA-2016-1 advisory. Vulnerability Insight: Several vulnerabilities have been identified in the VNC code of ssvnc, an encryption-capable VNC client.. The vulnerabilities referenced below are issues that have originally been reported against Debian source package libvncserver (which also ships the libvncclient shared library). The ssvnc source package in Debian ships a custom-patched, stripped down and outdated variant of libvncclient, thus some of libvncclient's security fixes required porting over. CVE-2018-20020 LibVNC contained heap out-of-bound write vulnerability inside structure in VNC client code that can result remote code execution CVE-2018-20021 LibVNC contained a CWE-835: Infinite loop vulnerability in VNC client code. Vulnerability allows attacker to consume excessive amount of resources like CPU and RAM CVE-2018-20022 LibVNC contained multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC client code that allowed attackers to read stack memory and could be abused for information disclosure. Combined with another vulnerability, it could be used to leak stack memory layout and in bypassing ASLR. CVE-2018-20024 LibVNC contained null pointer dereference in VNC client code that could result DoS. For Debian 8 Jessie, these problems have been fixed in version 1.0.29-2+deb8u1. We recommend that you upgrade your ssvnc packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: [link moved to references] Affected Software/OS: 'ssvnc' package(s) on Debian 8. Solution: Please install the updated package(s). CVSS Score: 7.8 CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C |
| Cross-Ref: |
Common Vulnerability Exposure (CVE) ID: CVE-2018-20020 Debian Security Information: DSA-4383 (Google Search) https://www.debian.org/security/2019/dsa-4383 https://security.gentoo.org/glsa/201908-05 https://security.gentoo.org/glsa/202006-06 https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18-030-libvnc-heap-out-of-bound-write/ https://lists.debian.org/debian-lts-announce/2018/12/msg00017.html https://lists.debian.org/debian-lts-announce/2019/10/msg00042.html https://lists.debian.org/debian-lts-announce/2019/11/msg00033.html https://usn.ubuntu.com/3877-1/ https://usn.ubuntu.com/4547-1/ https://usn.ubuntu.com/4547-2/ https://usn.ubuntu.com/4587-1/ Common Vulnerability Exposure (CVE) ID: CVE-2018-20021 https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18-031-libvnc-infinite-loop/ https://lists.debian.org/debian-lts-announce/2019/12/msg00028.html Common Vulnerability Exposure (CVE) ID: CVE-2018-20022 https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18-032-libvnc-multiple-memory-leaks/ Common Vulnerability Exposure (CVE) ID: CVE-2018-20024 https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18-034-libvnc-null-pointer-dereference/ |
| Copyright | Copyright (C) 2019 Greenbone AG |
| This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below. |