Full Report
UltraVNC revision 1198 contains multiple memory leaks (CWE-655) in VNC client code, which allow an attacker to read stack memory and can be abused for information disclosure. Combined with another vulnerability, it can be used to leak stack memory and bypass ASLR. This attack appear to be exploitable via network connectivity. These vulnerabilities have been []
Analysis Summary
# Vulnerability: UltraVNC Viewer Information Disclosure (Memory Leak)
## CVE Details
- **CVE ID:** CVE-2019-8259
- **CVSS Score:** 4.3 (Medium) *Note: While the provided text lists a base score of 0.0, the calculation string CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P results in a base score of 4.3.*
- **CWE:** CWE-655 (Improper Initialization) / Memory Leak
## Affected Systems
- **Products:** UltraVNC Viewer (Client-side)
- **Versions:** All versions prior to 1.2.2.4 (specifically noted in revision 1198)
- **Configurations:** Systems where the VNC client is used to connect to remote VNC servers.
## Vulnerability Description
UltraVNC Viewer contains multiple memory leaks in its client-side code. The flaw allows an attacker-controlled VNC server to send malicious responses that cause the client to leak sensitive data from its stack memory. This technical flaw is specifically tied to improper memory management, allowing information disclosure that can be used to bypass Address Space Layout Randomization (ASLR).
## Exploitation
- **Status:** PoC available
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
- **Conditions:** Successful exploitation requires a user to connect their vulnerable UltraVNC Viewer to a malicious VNC server controlled by the attacker.
## Impact
- **Confidentiality:** Low (Memory information disclosure)
- **Integrity:** None
- **Availability:** None
- **Secondary Impact:** When combined with other vulnerabilities, the disclosed stack memory can be used to bypass ASLR, facilitating more severe exploitation chains such as Remote Code Execution (RCE).
## Remediation
### Patches
- **UltraVNC 1.2.2.4:** Users should update to version 1.2.2.4 or newer to resolve these vulnerabilities. Patches were officially released in February 2019.
### Workarounds
- **Avoid Untrusted Servers:** Users should only connect to known and trusted VNC servers.
- **Network Segmentation:** Restrict outbound VNC traffic (TCP 5900+) to known-good destinations via firewall rules.
## Detection
- **Indicators of compromise:** Unexpected outbound connections from an UltraVNC process to unknown or unauthorized external IP addresses.
- **Detection methods and tools:** Network traffic analysis for malformed VNC protocol packets originating from a server to a client; vulnerability scanners capable of version detection for UltraVNC.
## References
- **Vendor Advisory:** hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2019/03/01/klcert-19-005-ultravnc-memory-leak/
- **NVD Entry:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2019-8259
- **UltraVNC Homepage:** hxxp[://]www[.]uvnc[.]com/