Login Sign Up

CVE-2018-20748

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2018-20748 is a critical heap out-of-bounds write vulnerability in LibVNC client library that allows remote code execution. Attackers can exploit this by sending specially crafted VNC protocol packets to vulnerable clients. Any system using LibVNC versions before 0.9.12 is affected.

💻 Affected Systems

Products:
  • LibVNC
  • Any software using LibVNC library
  • VNC clients based on LibVNC
Versions: All versions before 0.9.12
Operating Systems: Linux, Unix-like systems, Windows if using LibVNC
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the client component (libvncclient), not the server. Any application linking against vulnerable LibVNC versions is affected.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Libvncserver by Libvnc Project

View all CVEs affecting Libvncserver →

Simatic Itc1500 Firmware by Siemens

View all CVEs affecting Simatic Itc1500 Firmware →

Simatic Itc1500 Pro Firmware by Siemens

View all CVEs affecting Simatic Itc1500 Pro Firmware →

Simatic Itc1900 Firmware by Siemens

View all CVEs affecting Simatic Itc1900 Firmware →

Simatic Itc1900 Pro Firmware by Siemens

View all CVEs affecting Simatic Itc1900 Pro Firmware →

Simatic Itc2200 Firmware by Siemens

View all CVEs affecting Simatic Itc2200 Firmware →

Simatic Itc2200 Pro Firmware by Siemens

View all CVEs affecting Simatic Itc2200 Pro Firmware →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via remote code execution, allowing attacker to execute arbitrary code with application privileges

🟠

Likely Case

Remote code execution leading to system compromise, data theft, or lateral movement

🟢

If Mitigated

Denial of service or application crash if exploit fails

🌐 Internet-Facing: HIGH - VNC clients often connect to untrusted servers, making internet-facing instances highly vulnerable
🏢 Internal Only: MEDIUM - Internal VNC connections still pose risk from compromised internal systems

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires the vulnerable client to connect to a malicious server. The vulnerability is in protocol parsing, making exploitation straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.9.12 and later

Vendor Advisory: https://github.com/LibVNC/libvncserver/releases/tag/LibVNCServer-0.9.12

Restart Required: Yes

Instructions:

1. Update LibVNC to version 0.9.12 or later. 2. Recompile any applications using LibVNC. 3. Restart affected services. 4. For package managers: 'apt-get update && apt-get upgrade libvncserver' or equivalent.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict VNC client connections to trusted servers only

iptables -A OUTPUT -p tcp --dport 5900:5910 -j DROP
iptables -A OUTPUT -p tcp --dport 5900:5910 -m state --state NEW -m multiport --dports 5900:5910 -j ACCEPT -d trusted_server_ip

Application Whitelisting

all

Prevent execution of unauthorized binaries that might result from exploitation

🧯 If You Can't Patch

  • Isolate VNC clients in separate network segments with strict egress filtering
  • Implement application control to prevent execution of unauthorized processes

🔍 How to Verify

Check if Vulnerable:

Check LibVNC version: 'ldconfig -p | grep vnc' and verify version < 0.9.12. Check linked libraries in applications: 'ldd /path/to/application | grep vnc'

Check Version:

pkg-config --modversion libvncserver || dpkg -l | grep libvnc || rpm -qa | grep vnc

Verify Fix Applied:

Verify LibVNC version is 0.9.12 or later: 'pkg-config --modversion libvncserver'. Test with known vulnerable test cases if available.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes with segmentation faults
  • Unexpected process termination of VNC clients
  • Memory corruption errors in system logs

Network Indicators:

  • Unusual VNC protocol traffic patterns
  • Connection attempts to VNC clients from unexpected sources
  • Malformed VNC protocol packets

SIEM Query:

source="*vnc*" AND ("segmentation fault" OR "SIGSEGV" OR "heap corruption")

📊 Metadata

CVE ID: CVE-2018-20748
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: January 30, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-20748, you might also want to check these:

CVE-2019-5684 10.0

This vulnerability in NVIDIA Windows GPU Display Drivers allows specially crafted DirectX shaders to...

Same vulnerability type (CWE-787)
CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2019-5049 10.0

This vulnerability allows an attacker to execute arbitrary code on systems with vulnerable AMD graph...

Same vulnerability type (CWE-787)