Full Report
UltraVNC before 1.2.2.4 has out-of-bounds read vulnerability in VNC client code inside Ultra decoder, which results in a denial-of-service (DoS) condition of VNC client.
Analysis Summary
# Vulnerability: UltraVNC Decoder Out-of-bounds Read
## CVE Details
- **CVE ID:** CVE-2019-8270
- **CVSS Score:** 6.5 (Medium) *Note: While the base score in the source is listed as 6.5, the temporal vector provided reflects a reflected score of 5.6 based on CVSS v3.0.*
- **CWE:** CWE-125 (Out-of-bounds Read)
## Affected Systems
- **Products:** UltraVNC (VNC Client)
- **Versions:** All versions prior to 1.2.2.4
- **Configurations:** Systems running the UltraVNC Viewer using the "Ultra" decoder for screen data processing.
## Vulnerability Description
An out-of-bounds read vulnerability exists within the Ultra decoder component of the UltraVNC client code. The flaw is triggered when the client processes specifically crafted data packets sent from a VNC server. Because the decoder fails to properly validate the boundaries of the data it is reading, an attacker can cause the application to access memory addresses outside of the intended buffer, leading to an immediate crash of the VNC client application.
## Exploitation
- **Status:** Proof of Concept (PoC) available
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
- **User Interaction:** Required (Target user must connect their VNC client to a malicious or compromised VNC server).
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** High (Results in a Denial-of-Service (DoS) condition by crashing the client software).
## Remediation
### Patches
- **UltraVNC 1.2.2.4:** This version and all subsequent releases contain the fix for this vulnerability. Users should upgrade immediately.
### Workarounds
- **Server Verification:** Connect only to trusted VNC servers.
- **Decoder Configuration:** If possible, switch to a different encoding format (e.g., Hextile or Tight) in the client connection settings to avoid utilizing the vulnerable Ultra decoder, though this may impact performance.
## Detection
- **Indicators of Compromise:** Unexpected crashes of `vncviewer.exe` specifically during the handshake or initial screen refresh phase when connecting to a remote host.
- **Detection Methods:** Monitor network traffic for VNC connections to unknown or unauthorized external IP addresses. Use endpoint protection to log application crashes and review stack traces pointing to the `Ultra` decoder module.
## References
- **Vendor Advisory:** hxxp[://]www[.]uvnc[.]com/
- **Kaspersky ICS CERT:** hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2019/03/01/klcert-19-017-ultravnc-out-of-bounds-read/
- **NVD:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2019-8270