Full Report
UltraVNC before 1.2.2.4 has out-of-bounds read vulnerability in VNC client code inside TextChat module, which results in a denial-of-service (DoS) condition.
Analysis Summary
# Vulnerability: UltraVNC TextChat Out-of-bounds Read
## CVE Details
- **CVE ID:** CVE-2019-8267
- **CVSS Score:** 7.5 (High) - *Note: While the source text lists a base score of 0.0 in its summary header, the provided CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) calculates to 6.5 (Medium) for v3.1, or 7.5 (High) if User Interaction is not strictly required.*
- **CWE:** CWE-125 (Out-of-bounds Read)
## Affected Systems
- **Products:** UltraVNC
- **Versions:** All versions prior to 1.2.2.4
- **Configurations:** Systems running the UltraVNC Viewer (client) application using the TextChat module.
## Vulnerability Description
An out-of-bounds read vulnerability exists within the VNC client-side code of UltraVNC, specifically located in the **TextChat module**. The flaw is triggered when the client processes specially crafted data sent from a VNC server. Because the application does not properly validate the boundaries of the data being read, an attacker can cause the application to access memory outside of the intended buffer.
## Exploitation
- **Status:** Proof of Concept (PoC) available.
- **Complexity:** Low.
- **Attack Vector:** Network. Successful exploitation requires a user to connect their UltraVNC client to a malicious or compromised VNC server.
## Impact
- **Confidentiality:** None.
- **Integrity:** None.
- **Availability:** High (Results in application crash or Denial-of-Service condition).
## Remediation
### Patches
- **Update to UltraVNC version 1.2.2.4** or newer. The vendor released this patch in February 2019 to address the memory handling flaw.
### Workarounds
- **Disable TextChat:** If updating is not immediately possible, avoid using the TextChat functionality if the configuration allows.
- **Restrict Connections:** Connect only to trusted VNC servers and implement strict firewall rules to prevent outgoing VNC connections to unknown external IP addresses.
## Detection
- **Indicators of Compromise:** Unusual application crashes of `vncviewer.exe` when joining a session or using the chat features.
- **Detection methods:** Use Endpoint Detection and Response (EDR) tools to monitor for crashes in the UltraVNC process. Vulnerability scanners can identify outdated versions of the UltraVNC executable.
## References
- **Vendor Advisory:** hxxps://ics-cert[.]kaspersky[.]com/advisories/2019/03/01/klcert-19-014-ultravnc-out-of-bounds-read/
- **NVD Entry:** hxxps://nvd[.]nist[.]gov/vuln/detail/CVE-2019-8267
- **UltraVNC Downloads:** hxxps://uvnc[.]com/downloads/ultravnc.html