CVE-2019-8273 — Heap-based Buffer Overflow in Ultravnc

CWE-122 — Heap-based Buffer Overflow CWE-787 — Out-of-bounds Write4 documents4 sources

Severity

9.8CRITICALNVD

EPSS

4.0%

top 11.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Siemens Sinumerik Access Mymachine P2P Siemens Sinumerik PCU Base Win10 Software IPC Uvnc Ultravnc +2 more

Timeline

PublishedMar 8

Latest updateMay 13

Description

UltraVNC revision 1211 has a heap buffer overflow vulnerability in VNC server code inside file transfer request handler, which can potentially result in code execution. This attack appears to be exploitable via network connectivity. This vulnerability has been fixed in revision 1212.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages5 packages

▶NVDuvnc/ultravnc< 1.2.2.3

▶CVEListV5kaspersky_lab/ultravnc1.2.2.3

▶NVDsiemens/sinumerik_access_mymachine_p2p< 4.8

▶NVDsiemens/sinumerik_pcu_base_win10_software_ipc< 14.00

▶NVDsiemens/sinumerik_pcu_base_win7_software_ipc12.01

🔴Vulnerability Details

GHSA

GHSA-f693-2xf3-fcpc: UltraVNC revision 1211 has a heap buffer overflow vulnerability in VNC server code inside file transfer request handler, which can potentially result↗2022-05-13

▶

📋Vendor Advisories

CISA ICS

Siemens SINUMERIK↗2020-06-12

▶

💬Community

Bugzilla

CVE-2019-0200 qpid-java: Malformed AMQP 0-8 to 0-10 commands resulting in a Denial of Service↗2019-03-04

▶