VideoLane claims that they have fixed critical vulnerability in VLC Media Player.
The company said VLC is not Vulnerable in recent tweet.
The vulnerability was discovered by German Security researchers.
According to National Vulnerability Database (NVD) – CVE-2019-13615 Details are as follow-
“This vulnerability has been modified since it was last analyzed by the NVD. It is awaiting reanalysis which may result in further changes to the information provided.”
Current Description
“VideoLAN VLC media player 3.0.7.1 has a heap-based buffer over-read in mkv::demux_sys_t::FreeUnused() in modules/demux/mkv/demux.cpp when called from mkv::Open in modules/demux/mkv/mkv.cpp.
NOTE: It has been reported that the vulnerability originates in libebml before 1.3.6 and was fixed in the 3.0.3 binary version of VLC.”
What is the vulnerability?
Remote Code Execution was found by security researcher, which allows bad actors cyber criminals to install, modify or run software without authorization, and could also be used to disclose files on the host system.
Affected Version
VLC Media Player was in version 3.0.6 and older to injected malicious code. Now there is a recent warning for VLC 3.0.7.1 for Linux, UNIX, Windows.
NVD has updated VLC CVE-2019-13615 and downgrading the severity from Critical to Medium with Change Log “Victim must Voluntarily interact with attack mechanism.”
Now, the all confusion has resolved after the VideoLane officially tweeted,
About the “security issue” on #VLC : VLC is not vulnerable.
tl;dr: the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago.
VLC since version 3.0.3 has the correct version shipped, and @MITREcorp did not even check their claim.Thread:
— VideoLAN (@videolan) July 24, 2019
But the vulnerability still cannot completely fix, it can be exploited if user open a specifically manipulated file with the VLC Media Player.
However, the VLC developers have problems understanding the problem, and have been for longer. Project manager Jean-Baptiste Kempf also writes that he can not reproduce the bug and VLC does not crash at all.
Also Read – Stack Based Buffer Overflow Tutorial
The Twitter War starts,
VLC counter attack through its Tweet to Answer @MITREcorp @CERTbund (Federal computer emergency response team of Germany) @Gizmodo and CVE on Twitter, said that in recent years they have not even contacted VLC before they leaked a gap that was “not cool”. It also states that this is not an explicit VLC vulnerability.
"The reporter is using Ubuntu 18.04, which is an old version of Ubuntu, and clearly has not all the updated libraries. But did not answer to our questions." "For whatever reason, unknown to us, @MITREcorp decided to issue a CVE, without talking to us." "This is not the first time that @MITREcorp does that. In fact, they NEVER EVER contact us when they find security issues on VLC, and we always discover that after they are public, when a user or a distribution asks us." "Would @MITREcorp behave the same way if we were Microsoft or another big company? But no, we're just a small non-profit, that does not even have the money to pay someone fulltime... End-of-thread."
VideoLane also said about Gizmodo, who reported to ‘Uninstall VLC media player’.
"It is still on the @Gizmodo frontpage. If you are working at @Gizmodo, are you not a bit ashamed?"
VideoLane tweet to @CERTbund,
"Then, this time, for whatever reason, @certbund decided to do an advisory https://www.cert-bund.de/advisoryshort/CB-K19-0634 …, without checking either the crash (it's not hard), or the vulnerability, or even contacting us." "So, when @certbund decided to do their "disclosure", all the media jumped in, without checking anything nor contacting us."
Overall, VideoLan claims that, VLC is not vulnerable because the problem exists with a third-party library called “libebml”. This was also already fixed 16 months ago and has also been fixed since VLC version 3.0.3, but MITRE has not checked.
