Multiple vulnerabilities in Stremio



Published: 2017-05-24 | Updated: 2017-06-02
Risk High
Patch available NO
Number of vulnerabilities 4
CVE-ID CVE-2017-8311
CVE-2017-8310
CVE-2017-8312
CVE-2017-8313
CWE-ID CWE-122
CWE-125
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Public exploit code for vulnerability #2 is available.
Public exploit code for vulnerability #3 is available.
Public exploit code for vulnerability #4 is available.
Vulnerable software
Subscribe
Stremio
Client/Desktop applications / Multimedia software

Vendor Stremio

Security Bulletin

This security bulletin contains information about 4 vulnerabilities.

1) Heap-based buffer overflow

EUVDB-ID: #VU6673

Risk: High

CVSSv3.1: 8.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2017-8311

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: Yes

Description

The vulnerability allows a remote unauthenticated attacker to execute arbitrary code and take over the device.

The weakness exists due to a boundary error in ParseJSS in VideoLAN VLC when processing subtitles. A remote attacker can create specially crafted subtitle file, which when loaded by the target user with the help of affected software leads to arbitrary code execution.

Successful exploitation of the vulnerability may result in full control over the affected PC.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Stremio: 3.0 - 3.6

External links

http://blog.checkpoint.com/2017/05/23/hacked-in-translation/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Out-of-bounds read

EUVDB-ID: #VU6887

Risk: Low

CVSSv3.1: 8.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2017-8310

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to perform denial of service attack.

The vulnerability exists due to boundary error in CreateHtmlSubtitle in VideoLAN VLC, when processing subtitles. A remote unauthenticated attacker can create a specially crafted subtitle, trick the victim into loading it and trigger application crash via out-of-bounds read.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Stremio: 3.0 - 3.6

External links

http://blog.checkpoint.com/2017/05/23/hacked-in-translation/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Out-of-bounds read

EUVDB-ID: #VU6888

Risk: Low

CVSSv3.1: 8.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2017-8312

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to perform denial of service attack.

The vulnerability exists due to boundary error in ParseJSS in VideoLAN VLC, when processing subtitles. A remote unauthenticated attacker can create a specially crafted subtitle, trick the victim into loading it and trigger application crash via out-of-bounds read.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Stremio: 3.0 - 3.6

External links

http://blog.checkpoint.com/2017/05/23/hacked-in-translation/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Out-of-bounds read

EUVDB-ID: #VU6889

Risk: Low

CVSSv3.1: 8.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2017-8313

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to perform denial of service attack.

The vulnerability exists due to boundary error in ParseJSS in VideoLAN VLC, when processing subtitles. A remote unauthenticated attacker can create a specially crafted subtitle, trick the victim into loading it and trigger application crash via out-of-bounds read.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Stremio: 3.0 - 3.6

External links

http://blog.checkpoint.com/2017/05/23/hacked-in-translation/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###