CERT-Bund warns of a critical vulnerability in VLC player

VLC player is still affected by a critical heap-based memory buffer over-read condition, tracked as CVE-2019-13615, that could be exploited by a remote attacker to execute arbitrary code.

The VLC player is still affected by a critical remote code execution vulnerability tracked as CVE-2019-13615.

The potential impact of the flaw is important because the software has more than 3.1 billion installs across various operating systems and versions.

Germany’s national Computer Emergency Response Team (CERT-Bund) has also published a security advisory to warn of the flaw in the VLC media player.

“VLC Media Player is a program for playing multimedia files and network streams.” reads the security advisory

“A remote, anonymous attacker can exploit a vulnerability in VLC to execute arbitrary code, create a denial of service state, disclose information, or manipulate files.”

The vulnerability affects the latest release of the VLC player for Windows, Linux and UNIX, version 3.0.7.1, and likely earlier versions. The Germany’s national Computer Emergency Response Team (CERT-Bund) classified the flaw as a critical heap-based memory buffer over-read condition and assigned to it a score of 4 out of 5 on its severity scale.

The NIST National Vulnerability Database (NVD) rated the vulnerability as ‘critical’ severity and assigned it a CVSS score of 9.8 out of 10.

Both CERT-Bund and NVD pointed out that its exploitation doesn’t require system privileges or any user interaction, even if some experts believe that an attacker could exploit the flaw using a specially crafted mp4 file.

“As readers have correctly noticed in the heise security forum, the bugtracker entry (possibly as a proof of concept) depends on a .mp4 file.” reported the Heuse.de website. “This suggests that to exploit the vulnerability a prepared video file must be played. However, this is explicitly mentioned or confirmed neither in the CERT Bund report nor in the NVD entry. ( ovw ).”

According to the bugtracker used by the development team behind VLC, VideoLAN is already working on a security patch to address the flaw.

The good news is that at the time of writing, we are not aware of attacks in the wild exploiting the vulnerability.

In June, experts found two vulnerabilities in VLC media player that could allow remote attackers to take full control over a computer system while playing untrusted videos.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – VLC player, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.