Login Sign Up

CVE-2020-29074

8.8 HIGH

📋 TL;DR

This vulnerability in x11vnc 0.9.16 allows unauthorized access to shared memory segments due to insecure permissions (IPC_CREAT|0777) in shmget calls. It affects users running x11vnc with shared memory enabled, potentially exposing sensitive screen data or allowing privilege escalation. Attackers with local access can exploit this to read or modify shared memory intended for the current user only.

💻 Affected Systems

Products:
  • x11vnc
Versions: 0.9.16 and possibly earlier versions; fixed in commit 69eeb9f7baa14ca03b16c9de821f9876def7a36a.
Operating Systems: Linux, Unix-like systems
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability is present when x11vnc uses shared memory (shm) for scanning; default configurations may enable this depending on setup.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

X11vnc by X11vnc Project

View all CVEs affecting X11vnc →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker gains unauthorized access to shared memory, leading to information disclosure of screen contents, session hijacking, or privilege escalation if x11vnc runs with elevated privileges.

🟠

Likely Case

Local attackers read sensitive data from shared memory, such as screen captures or authentication details, compromising user privacy and potentially enabling further attacks.

🟢

If Mitigated

With proper access controls (e.g., patched versions or restricted permissions), impact is minimized to no unauthorized access, maintaining confidentiality and integrity.

🌐 Internet-Facing: LOW, as exploitation typically requires local access to the system; x11vnc is often used internally for remote desktop access, not directly internet-exposed.
🏢 Internal Only: MEDIUM, because internal attackers or compromised accounts can exploit this locally, but it depends on x11vnc usage and shared memory configuration.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW, as it involves local access and standard system calls to interact with shared memory.

Exploitation requires local access to the system; no public proof-of-concept has been disclosed, but the vulnerability is straightforward to abuse.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 69eeb9f7baa14ca03b16c9de821f9876def7a36a; check for updated packages from distributions like Debian or Fedora.

Vendor Advisory: https://lists.debian.org/debian-lts-announce/2020/12/msg00018.html

Restart Required: Yes

Instructions:

1. Update x11vnc to a patched version via your package manager (e.g., apt-get update && apt-get upgrade x11vnc on Debian). 2. Restart the x11vnc service or process to apply changes.

🔧 Temporary Workarounds

Disable shared memory scanning

linux

Configure x11vnc to not use shared memory for screen scanning, reducing the attack surface.

x11vnc -noshm

🧯 If You Can't Patch

  • Restrict access to x11vnc processes by running with minimal privileges and isolating them in containers or virtual machines.
  • Monitor system logs for unauthorized access attempts to shared memory segments and implement strict access controls on IPC resources.

🔍 How to Verify

Check if Vulnerable:

Check x11vnc version: run 'x11vnc -version' and verify if it is 0.9.16 or earlier; inspect source code for shmget calls with IPC_CREAT|0777.

Check Version:

x11vnc -version 2>&1 | grep -i version

Verify Fix Applied:

After updating, confirm the version is patched (e.g., post-commit 69eeb9f7baa14ca03b16c9de821f9876def7a36a) and test that shared memory permissions are secure.

📡 Detection & Monitoring

Log Indicators:

  • Unusual access patterns to shared memory segments in system logs (e.g., /var/log/syslog).

Network Indicators:

  • Not applicable, as this is a local vulnerability; focus on host-based indicators.

SIEM Query:

Example: search for process creation events related to x11vnc with shared memory flags, or monitor for IPC permission changes.

📊 Metadata

CVE ID: CVE-2020-29074
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-732
Published: November 25, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-29074, you might also want to check these:

CVE-2021-33509 9.9

This vulnerability allows remote authenticated managers in Plone to perform arbitrary disk I/O opera...

Same vulnerability type (CWE-732)
CVE-2024-5618 9.9

This vulnerability allows attackers to access functionality they shouldn't have permission to use in...

Same vulnerability type (CWE-732)
CVE-2023-40622 9.9

This vulnerability in SAP BusinessObjects Business Intelligence Platform allows authenticated attack...

Same vulnerability type (CWE-732)