CVE-2018-20750
📋 TL;DR
CVE-2018-20750 is a heap out-of-bounds write vulnerability in LibVNC server versions through 0.9.12. This allows remote attackers to execute arbitrary code or cause denial of service by sending specially crafted VNC protocol messages. Any system running vulnerable LibVNC server software is affected.
💻 Affected Systems
- LibVNC
- LibVNCServer
- Any software using LibVNC libraries
📦 What is this software?
Libvncserver by Libvnc Project
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, or ransomware deployment.
Likely Case
Denial of service causing VNC service crashes and disruption of remote access capabilities.
If Mitigated
Limited impact if network segmentation restricts VNC traffic and systems are patched.
🎯 Exploit Status
Exploitation requires network access to VNC port (default 5900). The incomplete fix for CVE-2018-15127 makes exploitation more reliable.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after commit 09e8fc02f59f16e2583b34fe1a270c238bd9ffec
Vendor Advisory: https://github.com/LibVNC/libvncserver/issues/273
Restart Required: Yes
Instructions:
1. Update LibVNC to version after the fix commit. 2. Recompile any applications using LibVNC. 3. Restart VNC services.
🔧 Temporary Workarounds
Network Segmentation
linuxRestrict VNC port access to trusted networks only
iptables -A INPUT -p tcp --dport 5900 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 5900 -j DROP
Use SSH Tunneling
allTunnel VNC connections through SSH to add encryption and authentication
ssh -L 5900:localhost:5900 user@vnc_server
🧯 If You Can't Patch
- Implement strict network ACLs to allow VNC access only from trusted IP addresses
- Replace VNC with alternative remote access solutions that don't use LibVNC
🔍 How to Verify
Check if Vulnerable:
Check LibVNC version: ldd /path/to/vncserver | grep libvnc, then check version in source or package managerCheck Version:
vncserver --version 2>&1 | grep -i libvnc || find / -name '*libvnc*' -exec strings {} \; | grep -i versionVerify Fix Applied:
Verify version is newer than 0.9.12 or includes commit 09e8fc02f59f16e2583b34fe1a270c238bd9ffec📡 Detection & Monitoring
Log Indicators:
- VNC service crashes
- Unusual connection patterns to port 5900
- Memory corruption errors in system logs
Network Indicators:
- Malformed VNC protocol packets
- Rapid connection attempts to VNC port
- Traffic from unexpected sources to port 5900
SIEM Query:
destination_port=5900 AND (packet_size>threshold OR protocol_anomaly=true)🔗 References
- http://www.securityfocus.com/bid/106825
- https://cert-portal.siemens.com/productcert/pdf/ssa-390195.pdf
- https://github.com/LibVNC/libvncserver/commit/09e8fc02f59f16e2583b34fe1a270c238bd9ffec
- https://github.com/LibVNC/libvncserver/issues/273
- https://lists.debian.org/debian-lts-announce/2019/01/msg00029.html
- https://lists.debian.org/debian-lts-announce/2019/10/msg00042.html
- https://usn.ubuntu.com/3877-1/
- https://usn.ubuntu.com/4547-1/
- https://usn.ubuntu.com/4587-1/
- https://www.openwall.com/lists/oss-security/2018/12/10/8
- http://www.securityfocus.com/bid/106825
- https://cert-portal.siemens.com/productcert/pdf/ssa-390195.pdf
- https://github.com/LibVNC/libvncserver/commit/09e8fc02f59f16e2583b34fe1a270c238bd9ffec
- https://github.com/LibVNC/libvncserver/issues/273
- https://lists.debian.org/debian-lts-announce/2019/01/msg00029.html
- https://lists.debian.org/debian-lts-announce/2019/10/msg00042.html
- https://usn.ubuntu.com/3877-1/
- https://usn.ubuntu.com/4547-1/
- https://usn.ubuntu.com/4587-1/
- https://www.openwall.com/lists/oss-security/2018/12/10/8
