Vulnerability Details : CVE-2019-8277
UltraVNC revision 1211 contains multiple memory leaks (CWE-665) in VNC server code, which allows an attacker to read stack memory and can be abused for information disclosure. Combined with another vulnerability, it can be used to leak stack memory and bypass ASLR. This attack appears to be exploitable via network connectivity. These vulnerabilities have been fixed in revision 1212.
Vulnerability category: Information leak
Products affected by CVE-2019-8277
- cpe:2.3:a:siemens:sinumerik_access_mymachine\/p2p:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:sinumerik_pcu_base_win10_software\/ipc:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:sinumerik_pcu_base_win7_software\/ipc:*:*:*:*:*:*:*:*
- cpe:2.3:a:uvnc:ultravnc:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-8277
0.42%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 74 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-8277
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2019-8277
-
The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.Assigned by:
- nvd@nist.gov (Primary)
- vulnerability@kaspersky.com (Secondary)
References for CVE-2019-8277
-
https://ics-cert.kaspersky.com/advisories/klcert-advisories/2019/03/01/klcert-19-024-ultravnc-improper-initialization/
KLCERT-19-024: UltraVNC Improper Initialization | Kaspersky Lab ICS CERTThird Party Advisory
-
https://us-cert.cisa.gov/ics/advisories/icsa-21-131-11
Siemens SIMATIC UltraVNC HMI WinCC Products | CISA
-
https://cert-portal.siemens.com/productcert/pdf/ssa-286838.pdf
-
https://cert-portal.siemens.com/productcert/pdf/ssa-940818.pdf
-
https://cert-portal.siemens.com/productcert/pdf/ssa-927095.pdf
Third Party Advisory
-
https://www.us-cert.gov/ics/advisories/icsa-20-161-06
Siemens SINUMERIK | CISAThird Party Advisory;US Government Resource
Jump to