VLC Media Player Plagued By Unpatched Critical RCE Flaw

A patch does not yet exist for a critical buffer overflow vulnerability in VLC Media Player that could enable remote code execution.

The VLC open-source media player has a critical-severity bug that could enable remote code execution and other malicious actions. Worse, there is no patch to patch the vulnerability.

The VLC media player, developed by the VideoLAN project, is used by more than 3.1 billion users. The vulnerability ( CVE-2019-13615 ) exists in the Windows, Linux and UNIX versions of VLC 3.0.7.1 (the latest version of the media player).

“A remote, anonymous attacker can exploit a vulnerability in VLC to execute arbitrary code, create a denial of service state, disclose information, or manipulate files,” according to a release by German security agency CERT-Bund posted over the weekend.  CERT-Bund discovered the vulnerability.

According to NIST , the bug ranks 9.8 out of 10 on the CVSS 3.0 scale, making it critical severity. Despite the level of severity, no patch is currently available for the vulnerability. VideoLAN did not respond to a request for comment from Threatpost.

According to VideoLAN, current work is being done to create a patch, which is about 60 percent complete. That said, no exploitation of the vulnerability has been observed yet, according to CERT-Bund.

While details of the vulnerability are scant, CERT-Bund said that the flaw stems from an improper restriction of operations within the bounds of a memory buffer.

Specifically, VLC media player’s heap-based buffer over-read vulnerability exists in mkv::demux_sys_t::FreeUnused() in the media player’s modules/demux/mkv/demux.cpp function when called from mkv::Open in modules/demux/mkv/mkv.cpp.

It’s only the latest vulnerability in VLC media player. Earlier inJune two high-severity bugs were patched in the media playr. The flaws were an out-of-bound write vulnerability and a stack-buffer-overflow bug, and were two of 33 fixes being pushed out to the media player. VideoLAN said that the high number of patches stemmed from a newbug bounty program funded by European Commission, which was launched in hopes of keeping open source projects that EU institutions rely on secure. The program is maintained by the HackerOne bounty program facilitator.

Interested in more on patch management? Don’t miss our free live  Threatpost webinar , “ Streamlining Patch Management,” on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program.  Register and Learn More