Vulnerability Description
UltraVNC revision 1211 contains multiple memory leaks (CWE-665) in VNC server code, which allows an attacker to read stack memory and can be abused for information disclosure. Combined with another vulnerability, it can be used to leak stack memory and bypass ASLR. This attack appears to be exploitable via network connectivity. These vulnerabilities have been fixed in revision 1212.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Uvnc | Ultravnc | < 1.2.2.3 |
| Siemens | Sinumerik Access Mymachine\/P2P | < 4.8 |
| Siemens | Sinumerik Pcu Base Win10 Software\/Ipc | < 14.00 |
| Siemens | Sinumerik Pcu Base Win7 Software\/Ipc | <= 12.01 |
Related Weaknesses (CWE)
References
- https://cert-portal.siemens.com/productcert/pdf/ssa-286838.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-927095.pdfThird Party Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-940818.pdf
- https://ics-cert.kaspersky.com/advisories/klcert-advisories/2019/03/01/klcert-19Third Party Advisory
- https://us-cert.cisa.gov/ics/advisories/icsa-21-131-11
- https://www.us-cert.gov/ics/advisories/icsa-20-161-06Third Party AdvisoryUS Government Resource
- https://cert-portal.siemens.com/productcert/pdf/ssa-286838.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-927095.pdfThird Party Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-940818.pdf
- https://ics-cert.kaspersky.com/advisories/klcert-advisories/2019/03/01/klcert-19Third Party Advisory
- https://us-cert.cisa.gov/ics/advisories/icsa-21-131-11
- https://www.us-cert.gov/ics/advisories/icsa-20-161-06Third Party AdvisoryUS Government Resource
FAQ
What is CVE-2019-8277?
CVE-2019-8277 is a vulnerability with a CVSS score of 7.5 (HIGH). UltraVNC revision 1211 contains multiple memory leaks (CWE-665) in VNC server code, which allows an attacker to read stack memory and can be abused for information disclosure. Combined with another vu...
How severe is CVE-2019-8277?
CVE-2019-8277 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-8277?
Check the references section above for vendor advisories and patch information. Affected products include: Uvnc Ultravnc, Siemens Sinumerik Access Mymachine\/P2P, Siemens Sinumerik Pcu Base Win10 Software\/Ipc, Siemens Sinumerik Pcu Base Win7 Software\/Ipc.