UltraVNC up to 1.2.2.3 VNC Client Ultra2 Decoder out-of-bounds

Summaryinfo

A vulnerability was found in UltraVNC up to 1.2.2.3. It has been rated as critical. This issue affects some unknown processing of the component VNC Client Ultra2 Decoder. This manipulation causes out-of-bounds. The identification of this vulnerability is CVE-2019-8264. It is possible to initiate the attack remotely. There is no exploit available. Upgrading the affected component is advised.

Detailsinfo

A vulnerability classified as critical was found in UltraVNC up to 1.2.2.3 (Connectivity Software). Affected by this vulnerability is an unknown function of the component VNC Client Ultra2 Decoder. The manipulation with an unknown input leads to a out-of-bounds vulnerability. The CWE definition for the vulnerability is CWE-125. The product reads data past the end, or before the beginning, of the intended buffer. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

UltraVNC revision 1203 has out-of-bounds access vulnerability in VNC client inside Ultra2 decoder, which can potentially result in code execution. This attack appears to be exploitable via network connectivity. This vulnerability has been fixed in revision 1204.

The bug was discovered 03/01/2019. The weakness was shared 03/08/2019 by Pavel Cheremushkin with Kaspersky Lab ICS CERT as KLCERT-19-011: UltraVNC Access of Memory Location After End of Buffer as confirmed advisory (Website). The advisory is shared at ics-cert.kaspersky.com. The original advisory by Kaspersky has a very bad quality and consists of contradicting statements (e.g. summary and CVSS vectors). This vulnerability is known as CVE-2019-8264 since 02/12/2019. The attack can be launched remotely. The exploitation doesn't need any form of authentication. Neither technical details nor an exploit are publicly available. The advisory points out:

UltraVNC revision 1203 has out-of-bounds access vulnerability in VNC client inside Ultra2 decoder, which can potentially result code execution. This attack appear to be exploitable via network connectivity. This vulnerability has been fixed in revision 1204.

The vulnerability was handled as a non-public zero-day exploit for at least 7 days. During that time the estimated underground price was around $5k-$25k. The advisory illustrates:

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code.

Upgrading to version 1.2.2.4 eliminates this vulnerability. Applying the patch Revision 1204 is able to eliminate this problem. The best possible mitigation is suggested to be upgrading to the latest version. A possible mitigation has been published 6 days after the disclosure of the vulnerability.

Additional details are provided at us-cert.gov. The entries VDB-131510, VDB-131511, VDB-131512 and VDB-131513 are related to this item. If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Type

• Connectivity Software

Name

• UltraVNC

Version

• 1.0.4
• 1.0.5
• 1.0.5.1
• 1.0.8.2
• 1.0.9.5
• 1.0.9.6
• 1.0.9.6.2
• 1.1.4
• 1.1.5
• 1.1.8.0
• 1.1.8.3
• 1.1.8.4
• 1.1.8.5
• 1.1.8.6
• 1.1.8.9
• 1.1.9.0
• 1.1.9.1
• 1.1.9.3
• 1.1.9.6
• 1.2.0.1
• 1.2.0.3
• 1.2.0.4
• 1.2.0.5
• 1.2.0.6
• 1.2.0.7
• 1.2.0.9
• 1.2.1.1
• 1.2.1.2
• 1.2.1.6
• 1.2.1.7
• 1.2.2.1
• 1.2.2.2
• 1.2.2.3

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion