UltraVNC

[ci_di_es]

Hi uvnc Team & users,

last month there was found some UltraVNC Server vulnerabilities by Kaspersky.,
The Kaspersky advisory is not always clear and consistent.
Example:
The CVE-2019-8277 describes CWE 655 as a cause. CWE 655 means Insufficient Psychological Acceptability.
or
The affected product is before 1.2.2.3 but the
Vendor mitigation is 1212. That’s a conflict.
Additionally the several ratings are strange. For example the scope change rating.
The UltraVNC Server CVEs are:
CVE-2019-8277, CVE-2019-8276, CVE-2019-8275, CVE-2019-8274, CVE-2019-8273, CVE-2019-8272, CVE-2019-8271:
A statement of the manufacturer would be very helpfully.
Best Regards

Chris

[Rudi De Vos]

For this update we worked together with them to fix possible issue's.
Some issue's were already fixed in previous version. All are fixed in 1.2.2.4
Once fixed they are made public available.

sample
CVE-2019-8277
the server send a buffer (x,y,w,h,z) to the viewer
We only use xywh en z is something for later use
The issue was that we don't set z to 0, it contain some uninitialized memory ( 4 bits in z)
Uninitialized means that it contain some part of the memory that's isn't longer used, but it contain some data
and that data is exposed. It's a low risk, like you can see a few letters of a unknown book in a library.

Most fixes are for the viewer.
You can connect to a fake server, the server tell he has a 800x600 screen, but is actual sending data for 1920x1200
This will crash the viewer but you have a risk that some memory got overwritten.
We do not longer thrust the data send by the server and do some extra bounding checks.

I hope this clarify it a little.

[ci_di_es]

Thank you very much.