Critical vulnerability in VLC player up to V3.0.7.1

Sicherheit[German]In all current versions of the VLC Player up to V3.0.7.1, there is a critical vulnerability that allows a Denial of Service attack. The German BSI has issued a warning. Update: This was a false flag – there was no vulnerability in current VLC player versions – details inside.

VLC Media Player is a program for playback of multimedia files and network streams. It is available for free on the Video LAN website and is quite popular. The VLC Media Player is available for Windows, macOS, Linux, Android etc.

Warning of German BSI

German BSI (Bundesamt für Sicherheit in der Informationstechnologie) warns within this document about a critical Denial of Service vulnerability in all VLC player versions up to v3.0.7.1. A remote, anonymous attacker can exploit a vulnerability in VLC to crash the program. A modified file must be opened to exploit the vulnerability.

The BSI refers to this security focus entry, which reported a VideoLAN VLC CVE-2019-13602 Heap Based Buffer Overflow Vulnerability for all VLC Player versions as of June 14, 2019.

Unfortunately, BürgerCERT recommends the timely installation of the security updates provided by the manufacturer in order to close the vulnerabilities. However, there is no updated version of the VLC Player higher than version 3.0.7.1.

Details about the bug

The National Vulnerability Database (NVD) classifies the vulnerability with a 9.8 base score as critical. Here is the entry from NVD.

VideoLAN VLC media player 3.0.7.1 has a heap-based buffer over-read in mkv::demux_sys_t::FreeUnused() in modules/demux/mkv/demux.cpp when called from mkv::Open in modules/demux/mkv/mkv.cpp.

A heap buffer overflow occurs there in the MKV module, so that read pointers can point to external memories. The error occurs after my interpretation when opening and decoding MKV files. However, I came across this entry, which might relativize it. There you can find the text for CVE-2019-13602:

An Integer Underflow in MP4_EIA608_Convert() in modules/demux/mp4/mp4.c in VideoLAN VLC media player through 3.0.7.1 allows remote attackers to cause a denial of service (heap-based buffer overflow and crash) or possibly have unspecified other impact via a crafted .mp4 file.
Publish Date : 2019-07-14 Last Update Date : 2019-07-15

which is contrary to the above message in the National Vulnerability Database. It also reports a problem in MP4 files and gives a CVS score of 6.8 for the Denial Of ServiceOverflow. A possible explanation of the discrepancy can be found here.

German site heise reports here that no attack scenarios are known. At the moment the developers of the Video LAN project are still working on a bugfix. On GitHub there is a first commit for this bug since June 27, 2019. It is unclear when an updated version of the VLC player will be released.

Allegedly patch, VLC developers can not reproduce bugs

Addendum: I just saw two pieces of information on Twitter. The following tweet is supposed to be about a patch.

The text says that the patch has been in progress for 4 weeks and is 60% ready – but will not be rolled out yet. Quote:

VLC Media Player's developer, the non-profit organisation VideoLAN, is currently working on a patch that, it claims, is now 60 per cent complete. The company has been working on the fix for the past four weeks, according to the bug report by the company.

On the other hand, the second tweet on Twitter made by How-To Geek made me a little insecure

The message: CVE-2019-13615 cannot be reproduced by video LAN developers. Here are their tweets:

This is of course bad – something is going wrong there.

VideoLAN developers explains the issue

Addendum: The developers of the VideoLAN project have now revealed the secret. The following tweet names the details.

PC Games has also this article with some details. The problem is a third-party library libebml that was shipped with older versions of Ubuntu, such as 18.04. There the bug was also reported to the VideoLAN project – which was the wrong addressee. In VLC Player V3.0.3 and higher the correct version of the library is included and everything is fine. Thanks to Markus for the comment.

This entry was posted in Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *