Login Sign Up

CVE-2019-20840

7.5 HIGH
Denial of Service

📋 TL;DR

CVE-2019-20840 is a memory corruption vulnerability in LibVNCServer's WebSocket decoding functionality that can cause crashes due to unaligned memory accesses. This affects systems running vulnerable versions of LibVNCServer or software that incorporates it, potentially leading to denial of service. The vulnerability is triggered when processing WebSocket communications in the hybiReadAndDecode function.

💻 Affected Systems

Products:
  • LibVNCServer
  • Any software using LibVNCServer library
  • VNC server implementations based on LibVNCServer
Versions: All versions before 0.9.13
Operating Systems: Linux, Unix-like systems, Windows (if compiled with vulnerable library)
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems with WebSocket support enabled in LibVNCServer configuration.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Leap by Opensuse

View all CVEs affecting Leap →

Libvncserver by Libvnc Project

View all CVEs affecting Libvncserver →

Simatic Itc1500 Firmware by Siemens

View all CVEs affecting Simatic Itc1500 Firmware →

Simatic Itc1500 Pro Firmware by Siemens

View all CVEs affecting Simatic Itc1500 Pro Firmware →

Simatic Itc1900 Firmware by Siemens

View all CVEs affecting Simatic Itc1900 Firmware →

Simatic Itc1900 Pro Firmware by Siemens

View all CVEs affecting Simatic Itc1900 Pro Firmware →

Simatic Itc2200 Firmware by Siemens

View all CVEs affecting Simatic Itc2200 Firmware →

Simatic Itc2200 Pro Firmware by Siemens

View all CVEs affecting Simatic Itc2200 Pro Firmware →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, though this is theoretical and not demonstrated.

🟠

Likely Case

Denial of service through application crash when processing malicious WebSocket traffic.

🟢

If Mitigated

Minimal impact with proper network segmentation and updated software.

🌐 Internet-Facing: HIGH - WebSocket-enabled VNC servers exposed to the internet are directly vulnerable to unauthenticated attacks.
🏢 Internal Only: MEDIUM - Internal systems using vulnerable LibVNCServer could be crashed by malicious internal actors.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability is in WebSocket handling and requires sending specially crafted packets to trigger the crash.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.9.13 and later

Vendor Advisory: https://github.com/LibVNC/libvncserver/commit/0cf1400c61850065de590d403f6d49e32882fd76

Restart Required: Yes

Instructions:

1. Update LibVNCServer to version 0.9.13 or later. 2. Recompile any applications using the library. 3. Restart affected services.

🔧 Temporary Workarounds

Disable WebSocket support

all

Disable WebSocket protocol in LibVNCServer configuration to prevent exploitation

Configure LibVNCServer with -DisableWebSockets flag or equivalent configuration

Network filtering

linux

Block WebSocket traffic to vulnerable VNC servers at network perimeter

iptables -A INPUT -p tcp --dport 5900 -m string --string "Sec-WebSocket-Key" --algo bm -j DROP

🧯 If You Can't Patch

  • Implement strict network access controls to limit VNC server exposure
  • Monitor for crash events and implement application restart automation

🔍 How to Verify

Check if Vulnerable:

Check LibVNCServer version: ldd /path/to/vncserver | grep libvncserver, then check version in library metadata

Check Version:

vncserver --version 2>&1 | grep -i libvncserver

Verify Fix Applied:

Verify version is 0.9.13 or higher: strings /usr/lib/libvncserver.so | grep 'LibVNCServer'

📡 Detection & Monitoring

Log Indicators:

  • Application crashes with segmentation faults
  • WebSocket connection errors in VNC server logs

Network Indicators:

  • Malformed WebSocket packets to VNC ports
  • Multiple connection attempts with unusual payloads

SIEM Query:

source="vnc.log" AND ("segmentation fault" OR "crash" OR "unaligned access")

📊 Metadata

CVE ID: CVE-2019-20840
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-787
Published: June 17, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-20840, you might also want to check these:

CVE-2019-5684 10.0

This vulnerability in NVIDIA Windows GPU Display Drivers allows specially crafted DirectX shaders to...

Same vulnerability type (CWE-787)
CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2019-5049 10.0

This vulnerability allows an attacker to execute arbitrary code on systems with vulnerable AMD graph...

Same vulnerability type (CWE-787)