UltraVNC up to 1.2.2.3 VNC Client ReadString calculation

Summaryinfo

A vulnerability marked as critical has been reported in UltraVNC up to 1.2.2.3. This affects the function ClientConnection::ReadString of the component VNC Client. The manipulation leads to calculation. This vulnerability is listed as CVE-2019-8268. The attack may be initiated remotely. There is no available exploit. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability was found in UltraVNC up to 1.2.2.3 (Connectivity Software) and classified as critical. This issue affects the function ClientConnection::ReadString of the component VNC Client. The manipulation with an unknown input leads to a calculation vulnerability. Using CWE to declare the problem leads to CWE-682. The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

UltraVNC revision 1206 has multiple off-by-one vulnerabilities in VNC client code connected with improper usage of ClientConnection::ReadString function, which can potentially result code execution. This attack appears to be exploitable via network connectivity. These vulnerabilities have been fixed in revision 1207.

The bug was discovered 03/01/2019. The weakness was presented 03/08/2019 by Pavel Cheremushkin with Kaspersky Lab ICS CERT as KLCERT-19-015: UltraVNC Off-by-one Error as confirmed advisory (Website). The advisory is shared at ics-cert.kaspersky.com. The original advisory by Kaspersky has a very bad quality and consists of contradicting statements (e.g. summary and CVSS vectors). The identification of this vulnerability is CVE-2019-8268 since 02/12/2019. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Technical details are known, but no exploit is available. The advisory points out:

UltraVNC revision 1206 has multiple off-by-one vulnerabilities in VNC client code connected with improper usage of ClientConnection::ReadString function, which can potentially result code execution. This attack appear to be exploitable via network connectivity. These vulnerabilities have been fixed in revision 1207.

The vulnerability was handled as a non-public zero-day exploit for at least 7 days. During that time the estimated underground price was around $5k-$25k. The commercial vulnerability scanner Qualys is able to test this issue with plugin 371788 (UltraVNC multiple off-by-one vulnerabilities). The advisory illustrates:

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code.

Upgrading to version 1.2.2.4 eliminates this vulnerability. Applying the patch Revision 1207 is able to eliminate this problem. The best possible mitigation is suggested to be upgrading to the latest version. A possible mitigation has been published 6 days after the disclosure of the vulnerability.

us-cert.gov is providing further details. See VDB-131509, VDB-131510, VDB-131511 and VDB-131512 for similar entries. Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Type

• Connectivity Software

Name

• UltraVNC

Version

• 1.0.4
• 1.0.5
• 1.0.5.1
• 1.0.8.2
• 1.0.9.5
• 1.0.9.6
• 1.0.9.6.2
• 1.1.4
• 1.1.5
• 1.1.8.0
• 1.1.8.3
• 1.1.8.4
• 1.1.8.5
• 1.1.8.6
• 1.1.8.9
• 1.1.9.0
• 1.1.9.1
• 1.1.9.3
• 1.1.9.6
• 1.2.0.1
• 1.2.0.3
• 1.2.0.4
• 1.2.0.5
• 1.2.0.6
• 1.2.0.7
• 1.2.0.9
• 1.2.1.1
• 1.2.1.2
• 1.2.1.6
• 1.2.1.7
• 1.2.2.1
• 1.2.2.2
• 1.2.2.3

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion