CVE-2018-21247 – CVE-2018-21247 is an information leak vulnerabi... (How to Fix)

Q: What is the severity of CVE-2018-21247?

CVE-2018-21247 has a CVSS score of 7.5 (HIGH). CVE-2018-21247 is an information leak vulnerability in LibVNCServer where the ConnectToRFBRepeater function exposes uninitialized memory contents. This allows attackers to potentially read sensitive data from server memory. Any system using vulnerable versions of LibVNCServer (0.9.12 and earlier) is affected.

📋 TL;DR

CVE-2018-21247 is an information leak vulnerability in LibVNCServer where the ConnectToRFBRepeater function exposes uninitialized memory contents. This allows attackers to potentially read sensitive data from server memory. Any system using vulnerable versions of LibVNCServer (0.9.12 and earlier) is affected.

💻 Affected Systems

Products:

LibVNCServer
Any software using LibVNCServer library

Versions: Versions before 0.9.13

Operating Systems: All platforms running LibVNCServer

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems where VNC repeater functionality is used or where ConnectToRFBRepeater is called.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could extract sensitive information like passwords, encryption keys, or other memory-resident data from the VNC server process.

🟠

Likely Case

Information disclosure of random memory contents, potentially including fragments of sensitive data or application state.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing unauthorized connections to VNC services.

🌐 Internet-Facing: MEDIUM - VNC services exposed to internet could leak information, but requires attacker to establish connection.

🏢 Internal Only: LOW - Requires network access to VNC service, typically used in controlled environments.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires establishing a connection to the vulnerable VNC service, but no authentication bypass is needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.9.13 and later

Vendor Advisory: https://github.com/LibVNC/libvncserver/releases/tag/LibVNCServer-0.9.13

Restart Required: Yes

Instructions:

1. Update LibVNCServer to version 0.9.13 or later. 2. Recompile any applications using the library. 3. Restart affected services.

🔧 Temporary Workarounds

Disable VNC Repeater Functionality

all

If VNC repeater functionality is not required, disable it to prevent exploitation.

Configure VNC server to not use repeater mode

Network Segmentation

linux

Restrict network access to VNC services to trusted hosts only.

iptables -A INPUT -p tcp --dport 5900 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 5900 -j DROP

🧯 If You Can't Patch

Implement strict network access controls to limit who can connect to VNC services
Monitor VNC service logs for unusual connection attempts or data leakage

🔍 How to Verify

Check if Vulnerable:

Check LibVNCServer version: ldd --version | grep -i vnc or check package version: dpkg -l | grep libvncserver

Check Version:

pkg-config --modversion libvncserver || find /usr -name "*libvnc*" -exec strings {} \; | grep -i version

Verify Fix Applied:

Verify version is 0.9.13 or higher: libvncserver --version 2>/dev/null || echo "Check package manager"

📡 Detection & Monitoring

Log Indicators:

Unusual VNC connection patterns
Multiple failed connection attempts to VNC repeater

Network Indicators:

Unexpected connections to VNC ports (typically 5900+)
Traffic patterns suggesting memory scraping

SIEM Query:

source="vnc.log" AND (event="connection" OR event="repeater") AND src_ip NOT IN trusted_networks

📊 Metadata

CVE ID: CVE-2018-21247

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-909

Published: June 17, 2020

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00033.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00055.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00066.html Mailing List,Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-390195.pdf Patch,Third Party Advisory
https://github.com/LibVNC/libvncserver/compare/LibVNCServer-0.9.12...LibVNCServer-0.9.13 Patch,Third Party Advisory
https://github.com/LibVNC/libvncserver/issues/253 Issue Tracking,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4F6FUH4EFK4NAP6GT4TQRTBKWIRCZLIY/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NVP7TJVYJDXDFRHVQ3ENEN3H354QPXEZ/
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00033.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00055.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00066.html Mailing List,Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-390195.pdf Patch,Third Party Advisory
https://github.com/LibVNC/libvncserver/compare/LibVNCServer-0.9.12...LibVNCServer-0.9.13 Patch,Third Party Advisory
https://github.com/LibVNC/libvncserver/issues/253 Issue Tracking,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4F6FUH4EFK4NAP6GT4TQRTBKWIRCZLIY/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NVP7TJVYJDXDFRHVQ3ENEN3H354QPXEZ/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-21247, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Debian Linux by Debian

Leap by Opensuse

Libvncserver by Libvnc Project

Simatic Itc1500 Firmware by Siemens

Simatic Itc1500 Pro Firmware by Siemens

Simatic Itc1900 Firmware by Siemens

Simatic Itc1900 Pro Firmware by Siemens

Simatic Itc2200 Firmware by Siemens

Simatic Itc2200 Pro Firmware by Siemens

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable VNC Repeater Functionality

Network Segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities