The updated VLC is once more vulnerable to remote code execution, meaning that the software-operated malicious video might crash or joyfully malware the media player on the host machine.
Nevertheless, the developers of the open-source app, which has literally been downloaded thousands of times and used by countless networks, disputed this claim, saying that program errors cannot be used.
NIST of the U.S. government documented a “critical” heap buffer overflow referred to as CVE-2019-13615, allegedly present and unpatched in the most recent official VLC version 18.104.22.168. It is claimed that you can trump a victim into opening a booby-trapped VLC video that triggers a cockup that leads either to a harmless crash or to the execution of bad code. The flaw is, we are told, and present in the player builds Linux, UNIX and Windows.
According to NIST:
VideoLAN VLC media player 22.214.171.124 has a heap-based buffer over-read in mkv::demux_sys_t::FreeUnused() in modules/demux/mkv/demux.cpp when called from mkv::Open in modules/demux/mkv/mkv.cpp.
While the flaw in their databases was both identified as dangerous and usable by the CERT and NIST in Germany, VLC developers pump the brakes in panic over their vulnerability.
In a CVE-2019-13615 bug-tracking ticket, the lead VideoLAN developer Jean-Baptiste Kempf said he couldn’t recreate the crash with a proof-of-concept. MP4 video, provided four weeks ago by a security researcher who was supposed to crack the latest VLC releases, 126.96.36.199. He couldn’t crash older 3.0.6 and progressive releases like 3.0.8, he reported.
“This doesn’t crash a normal VLC 188.8.131.52 release,” Kempf added. “Sorry, this bug is not reproducible and VLC does not crash at all.” Francois Cartegnie, the VLC developer, was even blunter today.
“If you land on this ticket through a news article claiming a critical flaw in VLC, I suggest you to read the above comment first and reconsider your (fake) news sources.”
When The Register attempted to play the VLC version 3.0.7 Vetinari (3.0.7-0-g86cee31099) proof-of-concept.MP4 on Linux, the player crashed with a segmentation error. There is confusion about what Kempf meant by “do not crash”–since it certainly crashes –and whether the bug is not reproducible means it cannot or cannot run remote code.
It would appear that the crashy. MP4 was generated by an automated VLC-compatible bug-hunting fuzzer. El Reg has asked for further comments from VLC developers at VideoLan and will update the story if we hear it.
There is no patch yet, although one is said to be coming.
Whether the default can be confirmed or not, the clash should be used by users and admits that media plugins and players like VLC can and should have security vulnerabilities and should be regularly updated to prevent hackers from exploiting bugs within the code.
Earlier this year, veteran Patrick Wardle from Apple Security Research explained how attackers can use VLC and other legacy applications as entry points for attackers looking to overcome new security protections in MacOS. The software itself is not vulnerable in this scenario, but instead has privileges that allow a malicious plugin to find vulnerable system components. A bunch of flaws in VLC have been recently patched by Media Player Maker in version 184.108.40.206. ®
Updated to add
The developers of VLC maintain that they are not faulty, that their software is not vulnerable, and nothing needs to be fixed: use the latest version of the media player with its latest libraries, and you should be ok. The problem lies in the libebml that has been resolved since then. Distros who use an out – of-date libebml will thus at least have a crash with video proof-of-concept.MP4.