CVE-2018-20023 : LibVNC before 8b06f835e259652b0ff026898014fc7297ade858 contains CWE-665: Imprope

LibVNC before 8b06f835e259652b0ff026898014fc7297ade858 contains CWE-665: Improper Initialization vulnerability in VNC Repeater client code that allows attacker to read stack memory and can be abuse for information disclosure. Combined with another vulnerability, it can be used to leak stack memory layout and in bypassing ASLR

Published 2018-12-19 16:29:01

Updated 2020-10-23 13:15:15

Source Kaspersky Labs

View at NVD, CVE.org

Vulnerability category: Information leak

Products affected by CVE-2018-20023

Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 14.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 16.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 18.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 18.10
cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
Matching versions
Libvnc Project » Libvncserver
Versions before (<) 0.9.12
cpe:2.3:a:libvnc_project:libvncserver:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2018-20023

EPSS FAQ

1.20%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 77 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2018-20023

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:P/I:N/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
7.5	HIGH	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2018-20023

CWE-665 Improper Initialization

The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2018-20023

https://lists.debian.org/debian-lts-announce/2018/12/msg00017.html

[SECURITY] [DLA 1617-1] libvncserver security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://usn.ubuntu.com/4587-1/

USN-4587-1: iTALC vulnerabilities | Ubuntu security notices | Ubuntu

CVEs referencing this url
https://lists.debian.org/debian-lts-announce/2019/10/msg00042.html

[SECURITY] [DLA 1979-1] italc security update

CVEs referencing this url
https://www.debian.org/security/2019/dsa-4383

Debian -- Security Information -- DSA-4383-1 libvncserver
Third Party Advisory

CVEs referencing this url
https://security.gentoo.org/glsa/201908-05

LibVNCServer: Multiple vulnerabilities (GLSA 201908-05) — Gentoo security

CVEs referencing this url
https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18-033-libvnc-memory-leak/

KLCERT-18-033: LibVNC Memory leak | Kaspersky Lab ICS CERT
Third Party Advisory
https://usn.ubuntu.com/4547-1/

USN-4547-1: iTALC vulnerabilities | Ubuntu security notices | Ubuntu

CVEs referencing this url
https://usn.ubuntu.com/3877-1/

USN-3877-1: LibVNCServer vulnerabilities | Ubuntu security notices
Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2018-20023

Products affected by CVE-2018-20023

Exploit prediction scoring system (EPSS) score for CVE-2018-20023

CVSS scores for CVE-2018-20023

CWE ids for CVE-2018-20023

References for CVE-2018-20023