VLC Media Player < 2.2.2 Multiple Vulnerabilities

critical Nessus Network Monitor Plugin ID 9267

Synopsis

The remote host contains a media application that is affected by multiple attack vectors.

Description

The remote host is running VLC 2.x prior to 2.0.2 and is affected by multiple vulnerabilities :

- An invalid pointer dereference flaw exists in the 3GP file format parser. With a specially crafted 3GP file, a context-dependent attacker can potentially execute arbitrary code.
- The libpng library used by VLC contains an out-of-bounds read flaw in the 'png_convert_to_rfc1123()' function in 'png.c' that may allow a context-dependent attacker to crash an application linked against the library or disclose memory contents.
- The libEBML library used by VLC contains a use-after-free error in the 'EblMaster::Read()' function in 'EbmlMaster.cpp' that is triggered when handling deeply nested elements with an infinite size. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
- The libEBML library used by VLC contains an out-of-bounds read condition in the 'UTFstring::UpdateFromUTF8()' function in 'EbmlUnicodeString.cpp' that is triggered when reading UTF-8 strings. This may allow a context-dependent attacker to crash an application linked against the library or potentially disclose memory contents.
- The libpng library contains overflow conditions in the 'png_set_PLTE()' function in 'pngset.c' and 'png_get_PLTE()' function in 'pngget.c' that are triggered when handling bit depths less than 8. With a specially crafted PNG image, a context-dependent attacker can cause a buffer overflow, crashing an application linked against the library or potentially execute arbtirary code.
- A flaw exists that allows a cross-site scripting (XSS) attack. This flaw exists because the web interface does not validate files' title metadata before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- A flaw exists that is triggered as user-supplied input is not properly validated when handling a specially crafted MP4 file. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
- An unspecified double-free flaw exists in the ADPCM decoder, which may allow an attacker to have an unspecified impact.
- Multiple unspecified double-frees, integer overflows, infinite loops, read overflows, invalid frees, and division-by-zero flaws exist. No further details have been provided by the vendor.
- A flaw exists that allows a cross-site scripting (XSS) attack. This flaw exists because the HTTP interface does not validate input before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- An off-by-one overflow condition exists in the RealRtsp module. The issue is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to cause a buffer overflow, resulting in an unspecified impact.

Solution

Upgrade to VLC Media Player version 2.2.2 or later.

See Also

http://www.videolan.org/developers/vlc-branch/NEWS

http://www.videolan.org/vlc/releases/2.2.2.html

Plugin Details

Severity: Critical

ID: 9267

Family: Web Clients

Published: 4/22/2016

Updated: 3/6/2019

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 8.1

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: Critical

Base Score: 9.6

Temporal Score: 9.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:videolan:vlc_media_player

Patch Publication Date: 2/6/2016

Vulnerability Publication Date: 10/22/2015

Reference Information

CVE: CVE-2015-1659, CVE-2015-5949, CVE-2015-7981, CVE-2015-8126, CVE-2015-8472, CVE-2015-8789, CVE-2015-8790

BID: 76448, 77304, 77568, 78624