UltraVNC up to 1.2.2.3 VNC Server memory corruption

Summaryinfo

A vulnerability has been found in UltraVNC up to 1.2.2.3 and classified as critical. This vulnerability affects unknown code of the component VNC Server. The manipulation leads to memory corruption. This vulnerability is traded as CVE-2019-8274. It is possible to initiate the attack remotely. There is no exploit available. The affected component should be upgraded.

Detailsinfo

A vulnerability, which was classified as critical, has been found in UltraVNC up to 1.2.2.3 (Connectivity Software). This issue affects an unknown part of the component VNC Server. The manipulation with an unknown input leads to a memory corruption vulnerability. Using CWE to declare the problem leads to CWE-119. The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

UltraVNC revision 1211 has a heap buffer overflow vulnerability in VNC server code inside file transfer offer handler, which can potentially in result code execution. This attack appears to be exploitable via network connectivity. This vulnerability has been fixed in revision 1212.

The bug was discovered 03/01/2019. The weakness was shared 03/08/2019 by Pavel Cheremushkin with Kaspersky Lab ICS CERT as KLCERT-19-021: UltraVNC Heap-based Buffer Overflow as confirmed advisory (Website). It is possible to read the advisory at ics-cert.kaspersky.com. The original advisory by Kaspersky has a very bad quality and consists of contradicting statements (e.g. summary and CVSS vectors). The identification of this vulnerability is CVE-2019-8274 since 02/12/2019. The attack may be initiated remotely. A simple authentication is necessary for exploitation. The technical details are unknown and an exploit is not publicly available. The advisory points out:

UltraVNC revision 1211 has a heap buffer overflow vulnerability in VNC server code inside file transfer offer handler, which can potentially result code execution. This attack appear to be exploitable via network connectivity. This vulnerability has been fixed in revision 1212.

The vulnerability was handled as a non-public zero-day exploit for at least 7 days. During that time the estimated underground price was around $0-$5k. The advisory illustrates:

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code.

Upgrading to version 1.2.2.4 eliminates this vulnerability. Applying the patch Revision 1212 is able to eliminate this problem. The best possible mitigation is suggested to be upgrading to the latest version. A possible mitigation has been published 6 days after the disclosure of the vulnerability.

us-cert.gov is providing further details. The entries VDB-131509, VDB-131510, VDB-131511 and VDB-131512 are related to this item. Be aware that VulDB is the high quality source for vulnerability data.

Productinfo

Type

• Connectivity Software

Name

• UltraVNC

Version

• 1.0.4
• 1.0.5
• 1.0.5.1
• 1.0.8.2
• 1.0.9.5
• 1.0.9.6
• 1.0.9.6.2
• 1.1.4
• 1.1.5
• 1.1.8.0
• 1.1.8.3
• 1.1.8.4
• 1.1.8.5
• 1.1.8.6
• 1.1.8.9
• 1.1.9.0
• 1.1.9.1
• 1.1.9.3
• 1.1.9.6
• 1.2.0.1
• 1.2.0.3
• 1.2.0.4
• 1.2.0.5
• 1.2.0.6
• 1.2.0.7
• 1.2.0.9
• 1.2.1.1
• 1.2.1.2
• 1.2.1.6
• 1.2.1.7
• 1.2.2.1
• 1.2.2.2
• 1.2.2.3

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Be aware that VulDB is the high quality source for vulnerability data.

Discussion