Full Report
UltraVNC revision 1207 has multiple out-of-bounds access vulnerabilities connected with improper usage of SETPIXELS macro in VNC client code, which can potentially result code execution. This attack appear to be exploitable via network connectivity. These vulnerabilities have been fixed in revision 1208.
Analysis Summary
# Vulnerability: UltraVNC SETPIXELS Out-of-Bounds Access
## CVE Details
- **CVE ID:** CVE-2019-8265
- **CVSS Score:** 8.8 (High) - *Calculated based on CVSS v3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H*
- **CWE:** CWE-787: Out-of-bounds Write
## Affected Systems
- **Products:** UltraVNC (VNC Client)
- **Versions:** Revision 1207 and all versions prior to 1.2.2.4
- **Configurations:** Client-side usage where the user connects to a remote VNC server.
## Vulnerability Description
Multiple out-of-bounds access vulnerabilities exist within the UltraVNC client code due to the improper usage of the `SETPIXELS` macro. The flaw occurs during the processing of pixel data sent from a VNC server. Because the macro does not properly validate buffer boundaries, a malicious server can send crafted data that forces the client to write beyond the allocated memory buffer (Out-of-bounds Write), potentially allowing for arbitrary code execution in the context of the VNC client application.
## Exploitation
- **Status:** PoC available
- **Complexity:** Low
- **Attack Vector:** Network (Victim must connect to a malicious VNC server)
## Impact
- **Confidentiality:** High (Potential for full system memory access)
- **Integrity:** High (Potential for arbitrary code execution)
- **Availability:** High (Potential for application crash or system instability)
## Remediation
### Patches
- **UltraVNC 1.2.2.4:** This version (revision 1208) includes fixes for the `SETPIXELS` macro usage. Users should upgrade immediately to version 1.2.2.4 or newer.
### Workarounds
- **Strict Server Connection Policy:** Only connect the UltraVNC client to trusted and verified VNC servers.
- **Network Segmentation:** Restrict outbound VNC traffic (typically TCP port 5900+) to known-good IP addresses using a firewall.
## Detection
- **Indicators of Compromise:** Unusual memory usage or unexpected application crashes (Segmentation Faults) of the UltraVNC client process `vncviewer.exe`.
- **Detection Methods:** Security teams should audit installed UltraVNC versions using software inventory tools or vulnerability scanners to identify versions below 1.2.2.4. Network traffic analysis may identify connections to untrusted or suspicious external VNC servers.
## References
- **Vendor Advisory:** hxxps[://]www[.]uvnc[.]com/
- **Kaspersky ICS CERT:** hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2019/03/01/klcert-19-012-ultravnc-access-of-memory-location-after-end-of-buffer/
- **NVD Entry:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2019-8265