UltraVNC up to 1.2.2.3 VNC Server memory corruption

Summaryinfo

A vulnerability classified as critical was found in UltraVNC up to 1.2.2.3. Affected by this vulnerability is an unknown functionality of the component VNC Server. Such manipulation leads to memory corruption. This vulnerability is documented as CVE-2019-8271. The attack can be executed remotely. There is not any exploit available. Upgrading the affected component is advised.

Detailsinfo

A vulnerability was found in UltraVNC up to 1.2.2.3 (Connectivity Software). It has been rated as critical. Affected by this issue is an unknown function of the component VNC Server. The manipulation with an unknown input leads to a memory corruption vulnerability. Using CWE to declare the problem leads to CWE-119. The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. Impacted is confidentiality, integrity, and availability. CVE summarizes:

UltraVNC revision 1211 has a heap buffer overflow vulnerability in VNC server code inside file transfer handler, which can potentially result code execution. This attack appears to be exploitable via network connectivity. This vulnerability has been fixed in revision 1212.

The bug was discovered 03/01/2019. The weakness was released 03/08/2019 by Pavel Cheremushkin with Kaspersky Lab ICS CERT as KLCERT-19-018: UltraVNC Heap-based Buffer Overflow as confirmed advisory (Website). The advisory is shared for download at ics-cert.kaspersky.com. The original advisory by Kaspersky has a very bad quality and consists of contradicting statements (e.g. summary and CVSS vectors). This vulnerability is handled as CVE-2019-8271 since 02/12/2019. The attack may be launched remotely. The successful exploitation requires a simple authentication. There are neither technical details nor an exploit publicly available. The advisory points out:

UltraVNC revision 1211 has a heap buffer overflow vulnerability in VNC server code inside file transfer handler, which can potentially result code execution. This attack appear to be exploitable via network connectivity. This vulnerability has been fixed in revision 1212.

The vulnerability was handled as a non-public zero-day exploit for at least 7 days. During that time the estimated underground price was around $5k-$25k. The advisory illustrates:

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code.

Upgrading to version 1.2.2.4 eliminates this vulnerability. Applying the patch Revision 1212 is able to eliminate this problem. The best possible mitigation is suggested to be upgrading to the latest version. A possible mitigation has been published 6 days after the disclosure of the vulnerability.

us-cert.gov is providing further details. Entries connected to this vulnerability are available at VDB-131509, VDB-131510, VDB-131511 and VDB-131512. Once again VulDB remains the best source for vulnerability data.

Productinfo

Type

• Connectivity Software

Name

• UltraVNC

Version

• 1.0.4
• 1.0.5
• 1.0.5.1
• 1.0.8.2
• 1.0.9.5
• 1.0.9.6
• 1.0.9.6.2
• 1.1.4
• 1.1.5
• 1.1.8.0
• 1.1.8.3
• 1.1.8.4
• 1.1.8.5
• 1.1.8.6
• 1.1.8.9
• 1.1.9.0
• 1.1.9.1
• 1.1.9.3
• 1.1.9.6
• 1.2.0.1
• 1.2.0.3
• 1.2.0.4
• 1.2.0.5
• 1.2.0.6
• 1.2.0.7
• 1.2.0.9
• 1.2.1.1
• 1.2.1.2
• 1.2.1.6
• 1.2.1.7
• 1.2.2.1
• 1.2.2.2
• 1.2.2.3

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion