Main Vulnerability Database Vulnerabilities #VU23010

Improper Initialization in UltraVNC - CVE-2019-8277

Published: November 27, 2019

Vulnerability identifier: #VU23010

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2019-8277

CWE-ID: CWE-665

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: ultravnc.sourceforge.net

Affected software:
UltraVNC

Detailed vulnerability description

The vulnerability allows a remote attacker to gain access to sensitive information on the target system.

The vulnerability exists due to an uninitialized read condition in VNC server code. A remote attacker can read stack memory and disclose sensitive information on the target system.

Combined with another vulnerability, it can be used to leak stack memory and bypass ASLR.

How to mitigate CVE-2019-8277

Install updates from vendor's website.

Sources

https://ics-cert.kaspersky.com/advisories/klcert-advisories/2019/03/01/klcert-19-024-ultravnc-improper-initialization/

Improper Initialization in UltraVNC - CVE-2019-8277

Detailed vulnerability description

How to mitigate CVE-2019-8277

Sources

Please verify you're human