UltraVNC up to 1.2.2.3 VNC Server Request memory corruption

Summaryinfo

A vulnerability was found in UltraVNC up to 1.2.2.3. It has been classified as critical. Impacted is an unknown function of the component VNC Server. This manipulation as part of Request causes memory corruption. This vulnerability is handled as CVE-2019-8276. The attack can be initiated remotely. There is not any exploit available. Upgrading the affected component is recommended.

Detailsinfo

A vulnerability has been found in UltraVNC up to 1.2.2.3 (Connectivity Software) and classified as critical. Affected by this vulnerability is an unknown code block of the component VNC Server. The manipulation as part of a Request leads to a memory corruption vulnerability. The CWE definition for the vulnerability is CWE-119. The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

UltraVNC revision 1211 has a stack buffer overflow vulnerability in VNC server code inside file transfer request handler, which can result in Denial of Service (DoS). This attack appears to be exploitable via network connectivity. This vulnerability has been fixed in revision 1212.

The bug was discovered 03/01/2019. The weakness was released 03/08/2019 by Pavel Cheremushkin with Kaspersky Lab ICS CERT as KLCERT-19-023: UltraVNC Stack-based Buffer Overflow as confirmed advisory (Website). The advisory is shared at ics-cert.kaspersky.com. The original advisory by Kaspersky has a very bad quality and consists of contradicting statements (e.g. summary and CVSS vectors). This vulnerability is known as CVE-2019-8276 since 02/12/2019. The attack can be launched remotely. The requirement for exploitation is a single authentication. Neither technical details nor an exploit are publicly available. The advisory points out:

UltraVNC revision 1211 has a stack buffer overflow vulnerability in VNC server code inside file transfer request handler, which can results Denial of System (DoS). This attack appear to be exploitable via network connectivity. This vulnerability has been fixed in revision 1212.

The vulnerability was handled as a non-public zero-day exploit for at least 7 days. During that time the estimated underground price was around $5k-$25k. The advisory illustrates:

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code.

Upgrading to version 1.2.2.4 eliminates this vulnerability. Applying the patch Revision 1212 is able to eliminate this problem. The best possible mitigation is suggested to be upgrading to the latest version. A possible mitigation has been published 6 days after the disclosure of the vulnerability.

Additional details are provided at us-cert.gov. Entries connected to this vulnerability are available at VDB-131509, VDB-131510, VDB-131511 and VDB-131512. Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Type

• Connectivity Software

Name

• UltraVNC

Version

• 1.0.4
• 1.0.5
• 1.0.5.1
• 1.0.8.2
• 1.0.9.5
• 1.0.9.6
• 1.0.9.6.2
• 1.1.4
• 1.1.5
• 1.1.8.0
• 1.1.8.3
• 1.1.8.4
• 1.1.8.5
• 1.1.8.6
• 1.1.8.9
• 1.1.9.0
• 1.1.9.1
• 1.1.9.3
• 1.1.9.6
• 1.2.0.1
• 1.2.0.3
• 1.2.0.4
• 1.2.0.5
• 1.2.0.6
• 1.2.0.7
• 1.2.0.9
• 1.2.1.1
• 1.2.1.2
• 1.2.1.6
• 1.2.1.7
• 1.2.2.1
• 1.2.2.2
• 1.2.2.3

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion