[German]In all current versions of the VLC Player up to V3.0.7.1, there is a critical vulnerability that allows a Denial of Service attack. The German BSI has issued a warning. Update: This was a false flag – there was no vulnerability in current VLC player versions – details inside.
VLC Media Player is a program for playback of multimedia files and network streams. It is available for free on the Video LAN website and is quite popular. The VLC Media Player is available for Windows, macOS, Linux, Android etc.
Warning of German BSI
German BSI (Bundesamt für Sicherheit in der Informationstechnologie) warns within this document about a critical Denial of Service vulnerability in all VLC player versions up to v3.0.7.1. A remote, anonymous attacker can exploit a vulnerability in VLC to crash the program. A modified file must be opened to exploit the vulnerability.
The BSI refers to this security focus entry, which reported a VideoLAN VLC CVE-2019-13602 Heap Based Buffer Overflow Vulnerability for all VLC Player versions as of June 14, 2019.
Unfortunately, BürgerCERT recommends the timely installation of the security updates provided by the manufacturer in order to close the vulnerabilities. However, there is no updated version of the VLC Player higher than version 3.0.7.1.
Details about the bug
The National Vulnerability Database (NVD) classifies the vulnerability with a 9.8 base score as critical. Here is the entry from NVD.
VideoLAN VLC media player 3.0.7.1 has a heap-based buffer over-read in mkv::demux_sys_t::FreeUnused() in modules/demux/mkv/demux.cpp when called from mkv::Open in modules/demux/mkv/mkv.cpp.
A heap buffer overflow occurs there in the MKV module, so that read pointers can point to external memories. The error occurs after my interpretation when opening and decoding MKV files. However, I came across this entry, which might relativize it. There you can find the text for CVE-2019-13602:
An Integer Underflow in MP4_EIA608_Convert() in modules/demux/mp4/mp4.c in VideoLAN VLC media player through 3.0.7.1 allows remote attackers to cause a denial of service (heap-based buffer overflow and crash) or possibly have unspecified other impact via a crafted .mp4 file.
Publish Date : 2019-07-14 Last Update Date : 2019-07-15
which is contrary to the above message in the National Vulnerability Database. It also reports a problem in MP4 files and gives a CVS score of 6.8 for the Denial Of ServiceOverflow. A possible explanation of the discrepancy can be found here.
German site heise reports here that no attack scenarios are known. At the moment the developers of the Video LAN project are still working on a bugfix. On GitHub there is a first commit for this bug since June 27, 2019. It is unclear when an updated version of the VLC player will be released.
Allegedly patch, VLC developers can not reproduce bugs
Addendum: I just saw two pieces of information on Twitter. The following tweet is supposed to be about a patch.
VLC HAS A PATCH, THIS ONE IS APPARENTLY BAD, PATCH NOW:
ICYMI: @SBSDiva @AdminKirsty @thurrott @maryjofoley @bdsams @mehedih_ @ruthm @SwiftOnSecurity @pcper @MalwareJake @JobCacka @etguennihttps://t.co/pv9EZGlXTH
— Crysta T. Lacey (@PhantomofMobile) 23. Juli 2019
The text says that the patch has been in progress for 4 weeks and is 60% ready – but will not be rolled out yet. Quote:
VLC Media Player's developer, the non-profit organisation VideoLAN, is currently working on a patch that, it claims, is now 60 per cent complete. The company has been working on the fix for the past four weeks, according to the bug report by the company.
On the other hand, the second tweet on Twitter made by How-To Geek made me a little insecure
The VLC flaw isn't reproducible according to VLC's developers. VLC is fine. @videolan https://t.co/Mi8Z4z3bTZ by @chrisbhoffman
— How-To Geek (@howtogeek) 23. Juli 2019
The message: CVE-2019-13615 cannot be reproduced by video LAN developers. Here are their tweets:
Hey @MITREcorp and @CVEnew , the fact that you NEVER ever contact us for VLC vulnerabilities for years before publishing is really not cool; but at least you could check your info or check yourself before sending 9.8 CVSS vulnerability publicly…
— VideoLAN (@videolan) 23. Juli 2019
Did you even check this?
No one can reproduce this issue here.— VideoLAN (@videolan) 23. Juli 2019
This is of course bad – something is going wrong there.
VideoLAN developers explains the issue
Addendum: The developers of the VideoLAN project have now revealed the secret. The following tweet names the details.
About the "security issue" on #VLC : VLC is not vulnerable.
tl;dr: the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago.
VLC since version 3.0.3 has the correct version shipped, and @MITREcorp did not even check their claim.Thread:
— VideoLAN (@videolan) 24. Juli 2019
PC Games has also this article with some details. The problem is a third-party library libebml that was shipped with older versions of Ubuntu, such as 18.04. There the bug was also reported to the VideoLAN project – which was the wrong addressee. In VLC Player V3.0.3 and higher the correct version of the library is included and everything is fine. Thanks to Markus for the comment.