Full Report
UltraVNC before 1.2.2.4 has a multiple improper null termination vulnerabilities in VNC server code, which result out-of-bound data being access by remote user.
Analysis Summary
# Vulnerability: UltraVNC Server Improper Null Termination
## CVE Details
- **CVE ID:** CVE-2019-8275
- **CVSS Score:** 4.3 (Medium) - *Note: While the provided text lists a base score of 0.0, the vector string CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N calculates to 4.3.*
- **CWE:** CWE-170 (Improper Null Termination)
## Affected Systems
- **Products:** UltraVNC (VNC Server component)
- **Versions:** All versions prior to 1.2.2.4
- **Configurations:** Systems where the UltraVNC server is running and accessible over the network; requires the attacker to be authenticated as a user on the server.
## Vulnerability Description
UltraVNC server code contains multiple instances where strings or data buffers are not properly null-terminated. When the software processes these buffers, it may continue reading past the intended memory boundary until a null byte is encountered. This leads to an **Out-of-Bounds Read**, allowing a remote authenticated user to access data in the server's memory that should otherwise be inaccessible.
## Exploitation
- **Status:** PoC available (Proof of Concept has been developed)
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** Low (Information disclosure of sensitive data residing in memory)
- **Integrity:** None
- **Availability:** None
## Remediation
### Patches
- **UltraVNC 1.2.2.4:** Users should update to version 1.2.2.4 or any subsequent newer release to resolve these vulnerabilities.
### Workarounds
- No specific workarounds were provided in the advisory; however, standard security practices suggest restricting VNC access to trusted IP addresses via firewalls or VPNs to reduce the attack surface.
## Detection
- **Indicators of Compromise:** Unusual memory read patterns or crashes in the `winvnc.exe` process (though this specific flaw primarily results in data leakage rather than crashes).
- **Detection methods and tools:** Monitoring for unauthorized or anomalous authenticated sessions on VNC ports (default TCP 5900). Use of vulnerability scanners to identify outdated UltraVNC versions.
## References
- **Vendor Advisory:** hxxps[://]uvnc[.]com/
- **NVD Detail:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2019-8275
- **Kaspersky ICS CERT:** hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2019/03/01/klcert-19-022-ultravnc-improper-null-termination/