VLC player is still affected by a critical heap-based memory buffer over-read condition, tracked as CVE-2019-13615, that could be exploited by a remote attacker to execute arbitrary code.
The potential impact of the flaw is important because the software has more than 3.1 billion installs across various operating systems and versions.
Germany’s national Computer Emergency Response Team (CERT-Bund) has also published a security advisory to warn of the flaw in the VLC media player.
“VLC Media Player is a program for playing multimedia files and network streams.” reads the security advisory
“A remote, anonymous attacker can exploit a vulnerability in VLC to execute arbitrary code, create a denial of service state, disclose information, or manipulate files.”
The vulnerability affects the latest release of the VLC player for Windows, Linux and UNIX, version 18.104.22.168, and likely earlier versions. The Germany’s national Computer Emergency Response Team (CERT-Bund) classified the flaw as a critical heap-based memory buffer over-read condition and assigned to it a score of 4 out of 5 on its severity scale.
The NIST National Vulnerability Database (NVD) rated the vulnerability as ‘critical’ severity and assigned it a CVSS score of 9.8 out of 10.
Both CERT-Bund and NVD pointed out that its exploitation doesn’t require system privileges or any user interaction, even if some experts believe that an attacker could exploit the flaw using a specially crafted mp4 file.
“As readers have correctly noticed in the heise security forum, the bugtracker entry (possibly as a proof of concept) depends on a .mp4 file.” reported the Heuse.de website. “This suggests that to exploit the vulnerability a prepared video file must be played. However, this is explicitly mentioned or confirmed neither in the CERT Bund report nor in the NVD entry. ( ovw ).”
According to the bugtracker used by the development team behind VLC, VideoLAN is already working on a security patch to address the flaw.
The good news is that at the time of writing, we are not aware of attacks in the wild exploiting the vulnerability.