Full Report
UltraVNC Viewer before 1.2.2.4 has a buffer underflow vulnerability, which can potentially result in code execution.
Analysis Summary
# Vulnerability: UltraVNC Viewer Buffer Underwrite (Underflow)
## CVE Details
- **CVE ID:** CVE-2018-15361
- **CVSS Score:** 8.8 (High) - *Note: Based on the vector provided AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.*
- **CWE:** CWE-124 (Buffer Underwrite) / CWE-191 (Integer Underflow)
## Affected Systems
- **Products:** UltraVNC Viewer
- **Versions:** All versions prior to 1.2.2.4
- **Configurations:** Systems where a user initiates a connection to a remote VNC server.
## Vulnerability Description
UltraVNC Viewer is susceptible to a buffer underflow (also referred to as a buffer underwrite) vulnerability. The flaw occurs during the handling of data packets received from a VNC server. If a malicious or compromised VNC server sends a specially crafted response, the viewer fails to properly validate the data boundaries or offsets, leading to memory corruption. This can allow an attacker to write data to memory locations before the intended buffer, potentially overwriting critical program control data.
## Exploitation
- **Status:** Proof of Concept (PoC) available
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
- **Requirement:** User interaction is required; a user must be persuaded to connect their UltraVNC Viewer to a malicious VNC server controlled by the attacker.
## Impact
- **Confidentiality:** High (Potential for memory dumping and information disclosure)
- **Integrity:** High (Potential for arbitrary code execution)
- **Availability:** High (Potential for application crash and Denial of Service)
## Remediation
### Patches
- **Update to UltraVNC 1.2.2.4 or newer.** The vendor released this patch in February 2019 to address the vulnerability by implementing stricter input validation.
### Workarounds
- **Strict Server Verification:** Connect only to trusted and known VNC servers.
- **Network Segmentation:** Restrict outbound VNC traffic to known-good IP addresses using firewall rules to prevent accidental connections to malicious external servers.
## Detection
- **Indicators of Compromise:** Unusual application crashes of `vncviewer.exe` when connecting to specific remote hosts.
- **Detection Methods:**
- Monitoring for outbound traffic on the VNC protocol (typically TCP ports 5900-5906) to unauthorized or external IP addresses.
- Security Software: Use EDR/AV solutions to monitor for suspicious child processes spawned by UltraVNC Viewer.
## References
- **Vendor Advisory:** hxxp[://]www[.]uvnc[.]com/
- **Kaspersky ICS CERT:** hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2019/03/01/klcert-19-003-ultravnc-buffer-underwrite/
- **NVD:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2018-15361