{"id":10531,"date":"2019-07-20T11:24:15","date_gmt":"2019-07-20T09:24:15","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=10531"},"modified":"2023-09-09T21:59:24","modified_gmt":"2023-09-09T19:59:24","slug":"critical-vulnerability-in-vlc-player-up-to-v3-0-7-1","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2019\/07\/20\/critical-vulnerability-in-vlc-player-up-to-v3-0-7-1\/","title":{"rendered":"Critical vulnerability in VLC player up to V3.0.7.1"},"content":{"rendered":"

\"Sicherheit\"[German<\/a>]In all current versions of the VLC Player up to V3.0.7.1, there is a critical vulnerability that allows a Denial of Service attack. The German BSI has issued a warning. Update<\/strong>: This was a false flag – there was no vulnerability in current VLC player versions – details inside.<\/p>\n

<\/p>\n

\"\"VLC Media Player is a program for playback of multimedia files and network streams. It is available for free on the Video LAN website and is quite popular. The VLC Media Player is available for Windows, macOS, Linux, Android etc.<\/p>\n

Warning of German BSI<\/h2>\n

German BSI (Bundesamt f\u00fcr Sicherheit in der Informationstechnologie) warns within this document about a critical Denial of Service vulnerability in all VLC player versions up to v3.0.7.1. A remote, anonymous attacker can exploit a vulnerability in VLC to crash the program. A modified file must be opened to exploit the vulnerability.<\/p>\n

The BSI refers to this security focus entry<\/a>, which reported a VideoLAN VLC CVE-2019-13602 Heap Based Buffer Overflow Vulnerability for all VLC Player versions as of June 14, 2019.<\/p>\n

Unfortunately, B\u00fcrgerCERT recommends the timely installation of the security updates provided by the manufacturer in order to close the vulnerabilities. However, there is no updated version of the VLC Player higher than version 3.0.7.1.<\/p>\n

Details about the bug<\/h2>\n

The National Vulnerability Database (NVD) classifies the vulnerability<\/a> with a 9.8 base score as critical. Here is the entry from NVD.<\/p>\n

VideoLAN VLC media player 3.0.7.1 has a heap-based buffer over-read in mkv::demux_sys_t::FreeUnused() in modules\/demux\/mkv\/demux.cpp when called from mkv::Open in modules\/demux\/mkv\/mkv.cpp.<\/p><\/blockquote>\n

A heap buffer overflow occurs there in the MKV module, so that read pointers can point to external memories. The error occurs after my interpretation when opening and decoding MKV files. However, I came across this entry<\/a>, which might relativize it. There you can find the text for CVE-2019-13602:<\/p>\n

An Integer Underflow in MP4_EIA608_Convert() in modules\/demux\/mp4\/mp4.c in VideoLAN VLC media player through 3.0.7.1 allows remote attackers to cause a denial of service (heap-based buffer overflow and crash) or possibly have unspecified other impact via a crafted .mp4 file.
\nPublish Date : 2019-07-14 Last Update Date : 2019-07-15<\/p><\/blockquote>\n

which is contrary to the above message in the National Vulnerability Database. It also reports a problem in MP4 files and gives a CVS score of 6.8 for the Denial Of ServiceOverflow. A possible explanation of the discrepancy can be found here<\/a>.<\/p>\n

German site heise reports here<\/a> that no attack scenarios are known. At the moment the developers of the Video LAN project are still working on a bugfix. On GitHub there is a first commit<\/a> for this bug since June 27, 2019. It is unclear when an updated version of the VLC player will be released.<\/p>\n

Allegedly patch, VLC developers can not reproduce bugs<\/h3>\n

Addendum:<\/strong> I just saw two pieces of information on Twitter. The following tweet is supposed to be about a patch.<\/p>\n

\n

VLC HAS A PATCH, THIS ONE IS APPARENTLY BAD, PATCH NOW:<\/p>\n

ICYMI: @SBSDiva<\/a> @AdminKirsty<\/a> @thurrott<\/a> @maryjofoley<\/a> @bdsams<\/a> @mehedih_<\/a> @ruthm<\/a> @SwiftOnSecurity<\/a> @pcper<\/a> @MalwareJake<\/a> @JobCacka<\/a> @etguenni<\/a>https:\/\/t.co\/pv9EZGlXTH<\/a><\/p>\n

\u2014 Crysta T. Lacey (@PhantomofMobile) 23. Juli 2019<\/a><\/p><\/blockquote>\n