UltraVNC up to 1.2.2.3 VNC Server access control

Summaryinfo

A vulnerability was found in UltraVNC up to 1.2.2.3 and classified as critical. This issue affects some unknown processing of the component VNC Server. The manipulation results in access control. This vulnerability is known as CVE-2019-8275. It is possible to launch the attack remotely. No exploit is available. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability, which was classified as critical, was found in UltraVNC up to 1.2.2.3 (Connectivity Software). Affected is an unknown code of the component VNC Server. The manipulation with an unknown input leads to a access control vulnerability. CWE is classifying the issue as CWE-284. The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:

UltraVNC revision 1211 has multiple improper null termination vulnerabilities in VNC server code, which result in out-of-bound data being accessed by remote users. This attack appears to be exploitable via network connectivity. These vulnerabilities have been fixed in revision 1212.

The bug was discovered 03/01/2019. The weakness was published 03/08/2019 by Pavel Cheremushkin with Kaspersky Lab ICS CERT as KLCERT-19-022: UltraVNC Improper Null Termination as confirmed advisory (Website). The advisory is shared for download at ics-cert.kaspersky.com. The original advisory by Kaspersky has a very bad quality and consists of contradicting statements (e.g. summary and CVSS vectors). This vulnerability is traded as CVE-2019-8275 since 02/12/2019. It is possible to launch the attack remotely. A authentication is needed for exploitation. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1068. The advisory points out:

UltraVNC revision 1211 has a multiple improper null termination vulnerabilities in VNC server code, which result out-of-bound data being access by remote user. This attack appear to be exploitable via network connectivity. These vulnerabilities have been fixed in revision 1212.

The vulnerability was handled as a non-public zero-day exploit for at least 7 days. During that time the estimated underground price was around $0-$5k. The advisory illustrates:

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code.

Upgrading to version 1.2.2.4 eliminates this vulnerability. Applying the patch Revision 1212 is able to eliminate this problem. The best possible mitigation is suggested to be upgrading to the latest version. A possible mitigation has been published 6 days after the disclosure of the vulnerability.

Further details are available at us-cert.gov. Similar entries are available at VDB-131509, VDB-131510, VDB-131511 and VDB-131512. VulDB is the best source for vulnerability data and more expert information about this specific topic.

Productinfo

Type

• Connectivity Software

Name

• UltraVNC

Version

• 1.0.4
• 1.0.5
• 1.0.5.1
• 1.0.8.2
• 1.0.9.5
• 1.0.9.6
• 1.0.9.6.2
• 1.1.4
• 1.1.5
• 1.1.8.0
• 1.1.8.3
• 1.1.8.4
• 1.1.8.5
• 1.1.8.6
• 1.1.8.9
• 1.1.9.0
• 1.1.9.1
• 1.1.9.3
• 1.1.9.6
• 1.2.0.1
• 1.2.0.3
• 1.2.0.4
• 1.2.0.5
• 1.2.0.6
• 1.2.0.7
• 1.2.0.9
• 1.2.1.1
• 1.2.1.2
• 1.2.1.6
• 1.2.1.7
• 1.2.2.1
• 1.2.2.2
• 1.2.2.3

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Discussion