CVE-2017-18922 – CVE-2017-18922 is a heap-based buffer overflow ... (How to Fix)

Q: What is the severity of CVE-2017-18922?

CVE-2017-18922 has a CVSS score of 9.8 (CRITICAL). CVE-2017-18922 is a heap-based buffer overflow vulnerability in LibVNCServer's WebSocket handling that allows remote attackers to execute arbitrary code or cause denial of service. It affects servers using LibVNCServer versions prior to 0.9.12 with WebSocket support enabled. This vulnerability is particularly dangerous because it can be exploited without authentication.

📋 TL;DR

CVE-2017-18922 is a heap-based buffer overflow vulnerability in LibVNCServer's WebSocket handling that allows remote attackers to execute arbitrary code or cause denial of service. It affects servers using LibVNCServer versions prior to 0.9.12 with WebSocket support enabled. This vulnerability is particularly dangerous because it can be exploited without authentication.

💻 Affected Systems

Products:

LibVNCServer
Any software using LibVNCServer library

Versions: All versions prior to 0.9.12

Operating Systems: All platforms running affected LibVNCServer

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with WebSocket support enabled in LibVNCServer configuration.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Denial of service causing service disruption and potential system crashes.

🟢

If Mitigated

Limited impact with proper network segmentation and exploit prevention controls.

🌐 Internet-Facing: HIGH - Exploitable remotely without authentication via WebSocket connections.

🏢 Internal Only: MEDIUM - Still exploitable within network but requires internal access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted WebSocket frames to vulnerable servers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.9.12 and later

Vendor Advisory: https://github.com/LibVNC/libvncserver/releases/tag/LibVNCServer-0.9.12

Restart Required: Yes

Instructions:

1. Update LibVNCServer to version 0.9.12 or later. 2. Recompile any applications using LibVNCServer. 3. Restart affected services.

🔧 Temporary Workarounds

Disable WebSocket Support

all

Disable WebSocket protocol in LibVNCServer configuration

Configure LibVNCServer with -DWEBSOCKETS=OFF during compilation

Network Filtering

linux

Block WebSocket connections at network perimeter

iptables -A INPUT -p tcp --dport 5900 -m string --string "Sec-WebSocket-Key" --algo bm -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate vulnerable systems
Deploy Web Application Firewall (WAF) with WebSocket attack detection rules

🔍 How to Verify

Check if Vulnerable:

Check LibVNCServer version and verify if WebSocket support is enabled in configuration

Check Version:

vncserver --version 2>&1 | grep -i libvnc

Verify Fix Applied:

Verify LibVNCServer version is 0.9.12 or later and test WebSocket functionality

📡 Detection & Monitoring

Log Indicators:

Abnormal WebSocket connection attempts
Memory allocation errors in server logs
Process crashes related to LibVNCServer

Network Indicators:

Malformed WebSocket frames
Unusual WebSocket traffic patterns
Exploit-specific payload patterns

SIEM Query:

source="*vnc*" AND (event="crash" OR event="buffer_overflow" OR event="websocket_error")

📊 Metadata

CVE ID: CVE-2017-18922

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: June 30, 2020

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00020.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00028.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00033.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00055.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00066.html Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2020/06/30/3 Mailing List,Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1852356 Issue Tracking,Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-390195.pdf Patch,Third Party Advisory
https://github.com/LibVNC/libvncserver/commit/aac95a9dcf4bbba87b76c72706c3221a842ca433 Patch,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4F6FUH4EFK4NAP6GT4TQRTBKWIRCZLIY/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NVP7TJVYJDXDFRHVQ3ENEN3H354QPXEZ/
https://usn.ubuntu.com/4407-1/ Patch,Third Party Advisory
https://www.openwall.com/lists/oss-security/2020/06/30/2 Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00020.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00028.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00033.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00055.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00066.html Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2020/06/30/3 Mailing List,Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1852356 Issue Tracking,Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-390195.pdf Patch,Third Party Advisory
https://github.com/LibVNC/libvncserver/commit/aac95a9dcf4bbba87b76c72706c3221a842ca433 Patch,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4F6FUH4EFK4NAP6GT4TQRTBKWIRCZLIY/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NVP7TJVYJDXDFRHVQ3ENEN3H354QPXEZ/
https://usn.ubuntu.com/4407-1/ Patch,Third Party Advisory
https://www.openwall.com/lists/oss-security/2020/06/30/2 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-18922, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Fedora by Fedoraproject

Fedora by Fedoraproject

Leap by Opensuse

Leap by Opensuse

Libvncserver by Libvncserver Project

Simatic Itc1500 Firmware by Siemens

Simatic Itc1500 Pro Firmware by Siemens

Simatic Itc1900 Firmware by Siemens

Simatic Itc1900 Pro Firmware by Siemens

Simatic Itc2200 Firmware by Siemens

Simatic Itc2200 Pro Firmware by Siemens

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable WebSocket Support

Network Filtering

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities