Update: UltraVNC 1.4.3.6 and UltraVNC SC 1.4.3.6: viewtopic.php?t=37885
Important: Please update to latest version before to create a reply, a topic or an issue: viewtopic.php?t=37864

Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://twitter.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc

UltraVNC Vulnerabilities March 2019

Post Reply
ci_di_es
Posts: 2
Joined: 2019-04-09 09:04

UltraVNC Vulnerabilities March 2019

Post by ci_di_es »

Hi uvnc Team & users,

last month there was found some UltraVNC Server vulnerabilities by Kaspersky.,
The Kaspersky advisory is not always clear and consistent.
Example:
The CVE-2019-8277 describes CWE 655 as a cause. CWE 655 means Insufficient Psychological Acceptability.
or
The affected product is before 1.2.2.3 but the
Vendor mitigation is 1212. That’s a conflict.
Additionally the several ratings are strange. For example the scope change rating.
The UltraVNC Server CVEs are:
CVE-2019-8277, CVE-2019-8276, CVE-2019-8275, CVE-2019-8274, CVE-2019-8273, CVE-2019-8272, CVE-2019-8271:
A statement of the manufacturer would be very helpfully.
Best Regards

Chris
User avatar
Rudi De Vos
Admin & Developer
Admin & Developer
Posts: 6832
Joined: 2004-04-23 10:21
Contact:

Re: UltraVNC Vulnerabilities March 2019

Post by Rudi De Vos »

For this update we worked together with them to fix possible issue's.
Some issue's were already fixed in previous version. All are fixed in 1.2.2.4
Once fixed they are made public available.

sample
CVE-2019-8277
the server send a buffer (x,y,w,h,z) to the viewer
We only use xywh en z is something for later use
The issue was that we don't set z to 0, it contain some uninitialized memory ( 4 bits in z)
Uninitialized means that it contain some part of the memory that's isn't longer used, but it contain some data
and that data is exposed. It's a low risk, like you can see a few letters of a unknown book in a library.

Most fixes are for the viewer.
You can connect to a fake server, the server tell he has a 800x600 screen, but is actual sending data for 1920x1200
This will crash the viewer but you have a risk that some memory got overwritten.
We do not longer thrust the data send by the server and do some extra bounding checks.

I hope this clarify it a little.
ci_di_es
Posts: 2
Joined: 2019-04-09 09:04

Re: UltraVNC Vulnerabilities March 2019

Post by ci_di_es »

Thank you very much.
Post Reply