The latest edition of nonprofit VideoLAN’s VLC media player software has what Germany agency CERT-Bund is calling a serious security flaw that allows hackers to install and run software without user knowledge, according to NewsX.
“This is just one in a long and constant stream of flaws in VLC. I absolutely would not recommend that anyone access untrusted content with VLC due to the high risk of memory corruption vulnerabilities. In general, VLC does not have a good reputation in the security industry as they regularly will leave vulnerable pre-compiled executables for download despite having patched them in the latest source code," said Craig Young, computer security researcher for Tripwire’s vulnerability and exposure research team (VERT). “Video players are a frequent target for file format exploits due to the inherent complexity of parsing multimedia files.”
If exploited, an attacker could gain remote access and potentially disclose information, manipulate files or create a denial-of-service state. According to NIST’s National Vulnerability Database, the vulnerability CVE-2019-13615 in the media player “has a heap-based buffer over-read.”
This isn’t the only VLC issue disclosed this month, according to Larry Trowell, principal consultant at Synopsys. “There have been four recent vulnerabilities disclosed that are loosely related to the same area of code. While the issue is serious, using the CVSS 3.0 standard to rate the severity of a vulnerability can be a bit misleading as issues tend to rank higher than in version 2. Using the CVSS 2.0 scale, this vulnerability ranks as a 7.5,” Trowell said.
Because the user has to voluntarily interact with the attack mechanism, Trowell said the attacker can’t initiate. “It’s easy to make a corrupted stream, but the trick is getting a user to play it. Also, this attack doesn’t give an attacker any extra privileges.
“There are not a lot of people who are playing random videos they get off the internet as the root/admin user on their computers. This attack can only be triggered with user interaction: the user has to either download a malicious file or open a stream that is streaming said files,” Trowell said.
As a result, a malicious actor would be dependent on the user searching out and opening a corrupted file. Trowell noted that this could be accomplished with a phishing campaign, but “it seems like in most cases the video sent would be opened with the internet browser or the email client, not VLC.
“Video parsing is hard to do correctly. There is a reason that a number of issues have been found and a reason why a correct patch will take time to implement and test. I do not know when the finding was announced to VLC or if any time was given to fix the issue before it’s announcement, and that should be taken into account when criticizing the company for not having a fix ready,” Trowell added.
***UPDATE*** This story was updated at 11:54am EST on July 26 with comment from Trowell in response to reports that the vulnerability has been debunked.
"It makes sense that the vulnerability arose from a third-party library—that is a very common scenario. Additionally, writing a good parser is a task that is much easier said than done. Something that is a bit concerning regarding this vulnerability is that Mitre didn’t make the distinction," Trowell said.
"Something we shouldn’t discount is the fact that the third-party library was included in a number of distros, and while the VLC issue has been resolved, the vulnerable code still likely exists elsewhere in the wild. As such, I believe there is in fact a need to issue a warning, providing update guidance."