First published: Wed Apr 04 2018(Updated: )
It was discovered that LibVNCServer incorrectly handled certain packet lengths. A remote attacker able to connect to a LibVNCServer could possibly use this issue to obtain sensitive information, cause a denial of service, or execute arbitrary code.
Affected Software | Affected Version | How to fix |
---|---|---|
All of | ||
ubuntu/libvncclient1 | <0.9.11+dfsg-1ubuntu0.1 | 0.9.11+dfsg-1ubuntu0.1 |
=17.10 | ||
All of | ||
ubuntu/libvncserver1 | <0.9.11+dfsg-1ubuntu0.1 | 0.9.11+dfsg-1ubuntu0.1 |
=17.10 | ||
All of | ||
ubuntu/libvncserver1 | <0.9.10+dfsg-3ubuntu0.16.04.2 | 0.9.10+dfsg-3ubuntu0.16.04.2 |
=16.04 | ||
All of | ||
ubuntu/libvncserver0 | <0.9.9+dfsg-1ubuntu1.3 | 0.9.9+dfsg-1ubuntu1.3 |
=14.04 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
A remote attacker can exploit the vulnerability to obtain sensitive information, cause a denial of service, or execute arbitrary code.
The vulnerability affects LibVNCServer versions 0.9.11+dfsg-1ubuntu0.1, 0.9.10+dfsg-3ubuntu0.16.04.2, and 0.9.9+dfsg-1ubuntu1.3.
To fix the vulnerability, update LibVNCServer to version 0.9.11+dfsg-1ubuntu0.1 if you are using Ubuntu 17.10, version 0.9.10+dfsg-3ubuntu0.16.04.2 if you are using Ubuntu 16.04, or version 0.9.9+dfsg-1ubuntu1.3 if you are using Ubuntu 14.04.
You can find more information about the vulnerability in LibVNCServer on the Ubuntu security website: [CVE-2018-7225](https://ubuntu.com/security/CVE-2018-7225), [USN-4547-1](https://ubuntu.com/security/notices/USN-4547-1), [USN-4573-1](https://ubuntu.com/security/notices/USN-4573-1).
A remote attacker can exploit the vulnerability by connecting to a vulnerable LibVNCServer and sending specially crafted packets with incorrect lengths.