UPavel Cheremushkin ovela eKaspersky Lab ihlalutyiwe ukuphunyezwa ezahlukeneyo VNC (Virtual Network Computing) inkqubo yofikelelo kude kwaye ichonge 37 semngciphekweni obangelwa iingxaki xa usebenza ngenkumbulo. Ubuthathaka obuchongiweyo ekuphunyezweni kweseva ye-VNC bunokusetyenziswa kuphela ngumsebenzisi oqinisekisiweyo, kwaye ukuhlaselwa kobuthathaka kwikhowudi yomxhasi kunokwenzeka xa umsebenzisi edibanisa kwiseva elawulwa ngumhlaseli.
Elona nani likhulu lobuthathaka elifunyenwe kwiphakheji I-UltraVNC, ifumaneka kuphela kwiqonga leWindows. Itotali yobuthathaka be-22 ichongiwe kwi-UltraVNC. Ubuthathaka obuli-13 bunokukhokelela ekwenziweni kwekhowudi kwisistim, isi-5 kwimemori evuzayo, kunye nesi-4 ekukhanyeni inkonzo.
Ubuthathaka bulungisiwe kukhupho 1.2.3.0.
Kwithala leencwadi elivulekileyo LibVNC (LibVNCServer kunye neLibVNCClient), leyo iyasetyenziswa kwiVirtualBox, ubuthathaka be-10 ichongiwe.
5 ubuthathaka (I-CVE-2018-20020, I-CVE-2018-20019, I-CVE-2018-15127, I-CVE-2018-15126, I-CVE-2018-6307) zibangelwa kukuphuphuma kwesikhuseli kwaye kunokukhokelela ekuphunyezweni kwekhowudi. Ubuthathaka obu-3 bunokukhokelela ekuvuzeni kolwazi, i-2 ekukhanyeni inkonzo.
Zonke iingxaki sele zilungisiwe ngabaphuhlisi, kodwa utshintsho lusekho ibonakalisiwe kuphela kwi-master branch.
Π I-TightVNC (icandelo lelifa lelifa leqonga livavanyiwe 1.3, kuba uguqulelo lwangoku lwe-2.x lukhutshelwe iWindows kuphela), ubuthathaka obu-4 bufunyenwe. Iingxaki ezintathu (I-CVE-2019-15679, I-CVE-2019-15678, I-CVE-2019-8287) zibangelwa kukuphuphuma kwebuffer ku-InitialiseRFBConnection, rfbServerCutText, kunye nemisebenzi ye-HandleCoRREBBP, kwaye inokukhokelela ekusebenzeni kwekhowudi. Ingxaki enye (I-CVE-2019-15680) kukhokelela ekwaliweni kwenkonzo. Nangona abaphuhlisi beTightVNC babe kwaziswa malunga neengxaki kunyaka ophelileyo, ubuthathaka buhlala bungalungiswa.
Kwiphakeji yeqonga elinqamlezayo I-TurboVNC (ifolokhwe ye TightVNC 1.3 esebenzisa ilayibrari ye-libjpeg-turbo), mnye kuphela ubuthathaka obufunyenweyo (I-CVE-2019-15683), kodwa kuyingozi kwaye, ukuba unokufikelela okuqinisekisiweyo kumncedisi, kwenza kube lula ukulungelelanisa ukuphunyezwa kwekhowudi yakho, ekubeni ukuba i-buffer iyaphuphuma, kunokwenzeka ukulawula idilesi yokubuyisela. Ingxaki isonjululwe 23 Aug kwaye ayiveli kukhupho lwangoku 2.2.3.
umthombo: opennet.ru