Kaspersky publishes information on newly identified vulnerabilities in order to raise user awareness of the IT security threats detected. Kaspersky does not make any guarantees in respect of information received from vendors of products in which vulnerabilities have been identified, which is included in the following sections of the advisory: Affected Products, Vendor Mitigation.
| KL-IDS | KLCERT-20-009 |
| CVE-IDS | CVE-2019-15690 |
| Publication date | 2020.03.23 |
| Researcher | Pavel Cheremushkin, Kaspersky ICS CERT |
| Description | LibVNC client code contains heap buffer overflow vulnerability in commit prior to 6073771eed1caf72f196e410182471e0dfd32149. This could possible result into remote code execution. This attack appear to be exploitable via network connectivity. The issue has been fixed in commit 54220248886b5001fbbb9fa73c4e1a2cb9413fed. |
| Impact | Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code. |
| Severity | |
| CVSS v3 Base Score: | 8.8 |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
| Exploitability | Remotely |
| Difficulty | Low |
| User interaction | None |
| Existence of exploit | Unknown |
| Affected products | |
| Affected products | LibVNC client commit prior to 6073771eed1caf72f196e410182471e0dfd32149 |
| Mitigation | |
| Vendor mitigation | Update current version of LibVNC client. |
| Timeline |
Dec 2019 – Vulnerabilities reported Dec 2019 – Vendor releases patch Dec 2019 – Advisory published |