TightVNC Heap Buffer Overflow Vulnerability

By

Overview:

  TightVNC is a remote desktop software application. It lets you connect to another computer and display its live remote desktop or control the remote computer with your mouse and keyboard, just as you would sitting in front of that computer. Since it is designed to work out of a box, TightVNC can be very handy not only for system administrators and support service, but for all users who want to benefit from TightVNC. Like other VNC systems, it consists of two parts: the Server, which shares the screen of the machine it’s running on, and the Viewer, which shows the remote screen received from the server.

  A heap buffer overflow vulnerability has been reported in TightVNC vncviewer. This vulnerability is due to missing integer value validation in InitialiseRFBConnection in rfbproto.c.

  A remote attacker could exploit this vulnerability by sending a maliciously crafted message to a target user using TightVNC vncviewer.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-23967.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 9.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:U/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 9.4 (E:P/RL:U/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is unavailable.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  VNC uses the Remote Framebuffer (RFB) protocol; a simple protocol for remote access to graphical user interfaces that allows a client to view and control a window system on another computer.

  A heap buffer overflow exists in TightVNC. The problem occurs while collecting the desktop name from a ServerInit message in InitialiseRFBConnection(). The function calls ReadFromRFBServer() to read the ServerInit message fields excluding the variable sized name-string field. It calls malloc() using the name-length field, stored in si.nameLength, adding an additional byte to include the null termination. When a name-length value of the maximum 32 bit value (0xFFFFFFFF) is sent, an unsigned integer overflow occurs, causing malloc() to be called with a size of 0. The zero size buffer is then used to copy up to 0xFFFFFFFF bytes into the heap.

  A remote attacker could exploit this vulnerability by sending a maliciously crafted message to a target user using TightVNC vncviewer. Successful exploitation could lead to remote code execution under the security context of the client process, while an unsuccessful attack could lead to a denial-of-service condition.

  View RFB Protocol

Triggering the Problem:

  • The target system must have the vulnerable product installed.
  • The target must have network connectivity to the attacker port.

Triggering Conditions:

  The target connects to the attacker server, performs the protocol and security handshakes, sends the ClientInit message, and receives the malicious ServerInit message. The vulnerability is triggered when the affected product processes the ServerInit message.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • RFB

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 18698 TightVNC Client Heap Buffer Overflow 2

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Filtering attack traffic using the signature above.
    • Blocking VNC connections traffic to untrusted hosts.
    • Avoid using the TightVNC client on Linux systems.
  At the time of writing, the vendor has not released a patch for this vulnerability.
  Bug Report

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.