CVE-2020-25708

Vulnerability

The vulnerability is a divide-by-zero flaw in libvncserver version 0.9.12, specifically in the rfbProcessFileTransferReadBuffer function within rfbserver.c. A malicious VNC client can send a specially crafted message that triggers this issue when the server processes the request, causing a floating-point exception (FPE). The code path is reachable during file transfer operations, which may require enabling the file transfer feature in the VNC server configuration [1].

Exploitation

An attacker needs to be able to connect as a client to a vulnerable VNC server (libvncserver). The attack requires sending a crafted file transfer message that causes the server to compute a division by zero. No authentication is needed if file transfer is enabled, but the server must have file transfer support active (often disabled by default). The exploit steps involve establishing a TCP connection and sending the malicious payload to trigger the divide-by-zero [1].

Impact

Successful exploitation leads to a floating-point exception in the VNC server process, causing a crash. This results in a denial of service (DoS) for legitimate users, as the server becomes unavailable. The impact is limited to availability; confidentiality and integrity are not directly compromised. The attack does not provide any code execution or privilege escalation [1].

Mitigation

The vulnerability was fixed in later releases of libvncserver. Users should update to a version after 0.9.12 (e.g., 0.9.13 or later). If upgrading is not possible, disabling the file transfer feature can mitigate the risk, as the vulnerable code path requires that feature to be active. Note that some downstream projects (e.g., TurboVNC, TigerVNC) are not affected, as confirmed by the developers [1].