TightVNC Heap Buffer Overflow Vulnerability
Overview:
TightVNC is a remote desktop software application. It lets you connect to another computer and display its live remote desktop or control the remote computer with your mouse and keyboard, just as you would sitting in front of that computer. Since it is designed to work out of a box, TightVNC can be very handy not only for system administrators and support service, but for all users who want to benefit from TightVNC. Like other VNC systems, it consists of two parts: the Server, which shares the screen of the machine it’s running on, and the Viewer, which shows the remote screen received from the server.
A heap buffer overflow vulnerability has been reported in TightVNC vncviewer. This vulnerability is due to missing integer value validation in InitialiseRFBConnection in rfbproto.c.
A remote attacker could exploit this vulnerability by sending a maliciously crafted message to a target user using TightVNC vncviewer.
CVE Reference:
This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-23967.
Common Vulnerability Scoring System (CVSS):
The overall CVSS score is 9.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:U/RC:C).
Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
• Attack vector is network.
• Attack complexity is low.
• Privileges required is none.
• User interaction is none.
• Scope is changed.
• Impact of this vulnerability on data confidentiality is high.
• Impact of this vulnerability on data integrity is high.
• Impact of this vulnerability on data availability is high.
Temporal score is 9.4 (E:P/RL:U/RC:C), based on the following metrics:
• The exploit code maturity level of this vulnerability is proof of concept.
• The remediation level of this vulnerability is unavailable.
• The report confidence level of this vulnerability is confirmed.
Technical Overview:
VNC uses the Remote Framebuffer (RFB) protocol; a simple protocol for remote access to graphical user interfaces that allows a client to view and control a window system on another computer.
A heap buffer overflow exists in TightVNC. The problem occurs while collecting the desktop name from a ServerInit message in InitialiseRFBConnection(). The function calls ReadFromRFBServer() to read the ServerInit message fields excluding the variable sized name-string field. It calls malloc() using the name-length field, stored in si.nameLength, adding an additional byte to include the null termination. When a name-length value of the maximum 32 bit value (0xFFFFFFFF) is sent, an unsigned integer overflow occurs, causing malloc() to be called with a size of 0. The zero size buffer is then used to copy up to 0xFFFFFFFF bytes into the heap.
A remote attacker could exploit this vulnerability by sending a maliciously crafted message to a target user using TightVNC vncviewer. Successful exploitation could lead to remote code execution under the security context of the client process, while an unsuccessful attack could lead to a denial-of-service condition.
Triggering the Problem:
• The target system must have the vulnerable product installed.
• The target must have network connectivity to the attacker port.
Triggering Conditions:
The target connects to the attacker server, performs the protocol and security handshakes, sends the ClientInit message, and receives the malicious ServerInit message. The vulnerability is triggered when the affected product processes the ServerInit message.
Attack Delivery:
The following application protocols can be used to deliver an attack that exploits this vulnerability:
• RFB
SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:
• IPS: 18698 TightVNC Client Heap Buffer Overflow 2
Remediation Details:
The risks posed by this vulnerability can be mitigated or eliminated by:
• Filtering attack traffic using the signature above.
• Blocking VNC connections traffic to untrusted hosts.
• Avoid using the TightVNC client on Linux systems.
At the time of writing, the vendor has not released a patch for this vulnerability.
Bug Report