Full Report
UltraVNC before 1.2.2.4 has out-of-bounds access vulnerability in VNC client inside Ultra2 decoder, which can potentially result in code execution.
Analysis Summary
# Vulnerability: UltraVNC Ultra2 Decoder Out-of-Bounds Memory Access
## CVE Details
- **CVE ID:** CVE-2019-8264
- **CVSS Score:** 8.8 (High) - *Note: While the article text displays "0.0", the provided CVSS vector (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) calculates to 8.8.*
- **CWE:** CWE-125 (Out-of-bounds Read) / CWE-787 (Out-of-bounds Write)
## Affected Systems
- **Products:** UltraVNC (VNC Client)
- **Versions:** All versions prior to 1.2.2.4
- **Configurations:** Systems utilizing the Ultra2 decoder for VNC sessions.
## Vulnerability Description
A memory corruption vulnerability exists within the Ultra2 decoder of the UltraVNC client. The flaw is specifically an "access of memory location after end of buffer" (out-of-bounds access). When the client attempts to decode a malicious stream of data from a VNC server using the Ultra2 encoding format, the decoder fails to properly validate buffer boundaries. This allows an attacker to read or write data outside of the intended memory allocation.
## Exploitation
- **Status:** PoC available (Proof of Concept)
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
- **User Interaction:** Required (Target user must connect their VNC client to a malicious or compromised VNC server).
## Impact
- **Confidentiality:** High (Potential for memory disclosure)
- **Integrity:** High (Potential for arbitrary code execution)
- **Availability:** High (Potential for application crash/DoS)
## Remediation
### Patches
- **UltraVNC Version 1.2.2.4:** This version contains the official fix for the out-of-bounds access vulnerability. Users should upgrade immediately.
### Workarounds
- **Disable Ultra2 Encoding:** If upgrading is not immediately possible, avoid using the Ultra2 encoding setting in the client configuration.
- **Restrict Connections:** Only connect to known, trusted VNC servers and avoid connecting to third-party servers over untrusted networks.
## Detection
- **Indicators of Compromise:** Unusual memory usage or unexpected application crashes in `vncviewer.exe` when connecting to remote hosts.
- **Detection methods and tools:**
- Use Network Intrusion Detection Systems (NIDS) to monitor for anomalous VNC traffic patterns.
- Employ endpoint protection (EDR) to monitor for buffer overflow attempts or unauthorized code execution originating from the UltraVNC process.
## References
- **Vendor Advisory:** hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2019/03/01/klcert-19-011-ultravnc-access-of-memory-location-after-end-of-buffer/
- **NVD Entry:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2019-8264
- **Researcher Credit:** Danil Gridasov (gridasovdanil) via Kaspersky ICS CERT.