Rewterz Threat Advisory – Multiple vulnerabilities fixed in VLC media player

Wednesday, August 21, 2019

Severity

High

Analysis Summary

CVE-2019-13602, CVE-2019-13962, CVE-2019-14437, CVE-2019-14438, CVE-2019-14498, CVE-2019-14533, CVE-2019-14534, CVE-2019-14535, CVE-2019-14776, CVE-2019-14777, CVE-2019-14778, CVE-2019-14970

A remote user could create a specifically crafted file that could trigger issues ranging from buffer overflows to division by zero. If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user.

While these issues in themselves are most likely to just crash the player, we can’t exclude that they could be combined to leak user information or remotely execute code. ASLR and DEP help reduce the likelyness of code execution, but may be bypassed.

Impact

  • Privilege access
  • Arbitrary code execution

Affected Vendors

VLC

Affected Products

VLC media player 3.0.7.1 and earlier

Remediation

Update to version 3.0.8 .

Data Sheets

Corporate Brochure


Our Story


Services


Solutions


Managed Security


Upcoming Rewterz Trainings/Events

Rewterz News

  • 17, September 2019 Rewterz Threat Alert – Emotet Revival with Spam Emails Around the World
  • 17, September 2019 Rewterz Threat Advisory – CVE-2016-1409 – Cisco Products IPv6 Neighbor Discovery Crafted Packet Vulnerability
  • 17, September 2019 Rewterz Threat Alert – Phishing Attack Targets The Guardian’s Whistleblowing Site
  • 16, September 2019 Rewterz Threat Alert – InnfiRAT Malware Steals Litecoin And Bitcoin Wallet Information

Copyright © Rewterz. All rights reserved.