Vulnerability Details : CVE-2019-8259
UltraVNC revision 1198 contains multiple memory leaks (CWE-655) in VNC client code, which allow an attacker to read stack memory and can be abused for information disclosure. Combined with another vulnerability, it can be used to leak stack memory and bypass ASLR. This attack appears to be exploitable via network connectivity. These vulnerabilities have been fixed in revision 1199.
Vulnerability category: Information leak
Products affected by CVE-2019-8259
- cpe:2.3:a:siemens:sinumerik_access_mymachine\/p2p:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:sinumerik_pcu_base_win10_software\/ipc:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:sinumerik_pcu_base_win7_software\/ipc:*:*:*:*:*:*:*:*
- cpe:2.3:a:uvnc:ultravnc:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-8259
0.52%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 76 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-8259
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2019-8259
-
The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.Assigned by: nvd@nist.gov (Primary)
-
The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.Assigned by: vulnerability@kaspersky.com (Secondary)
References for CVE-2019-8259
-
https://us-cert.cisa.gov/ics/advisories/icsa-21-131-11
Siemens SIMATIC UltraVNC HMI WinCC Products | CISA
-
https://cert-portal.siemens.com/productcert/pdf/ssa-286838.pdf
-
https://cert-portal.siemens.com/productcert/pdf/ssa-940818.pdf
-
https://cert-portal.siemens.com/productcert/pdf/ssa-927095.pdf
Third Party Advisory
-
https://ics-cert.kaspersky.com/advisories/klcert-advisories/2019/03/01/klcert-19-005-ultravnc-memory-leak/
KLCERT-19-005: UltraVNC Memory Leak | Kaspersky Lab ICS CERTThird Party Advisory
-
https://www.us-cert.gov/ics/advisories/icsa-20-161-06
Siemens SINUMERIK | CISAThird Party Advisory;US Government Resource
Jump to