CVE-2019-8275
First published: Fri Mar 01 2019(Updated: )
UltraVNC revision 1211 has multiple improper null termination vulnerabilities in VNC server code, which result in out-of-bound data being accessed by remote users. This attack appears to be exploitable via network connectivity. These vulnerabilities have been fixed in revision 1212.
Credit: vulnerability@kaspersky.com vulnerability@kaspersky.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| UltraVNC | <1.2.2.3 | |
| Siemens Sinumerik Access MyMachine/P2P | <4.8 | |
| Siemens Sinumerik PCU Base Win10 Software | <14.00 | |
| Siemens Sinumerik PCU Base Win7 Software/IPC | <=12.01 | |
| Siemens SINAMICS GH150 | ||
| Siemens SINAMICS GL150 Firmware | ||
| Siemens SINAMICS GM150 (with option X30) | ||
| Siemens SINAMICS SH150 firmware | ||
| Siemens SINAMICS SL150 | ||
| Siemens SINAMICS SM120 | ||
| Siemens SINAMICS SM150 Firmware | ||
| Siemens SINAMICS SM150i firmware | ||
| Siemens SIMATIC HMI Comfort Outdoor Panels 7’ and 15’ (incl. SIPLUS variants) Update 4 | <16 | 16 |
| Siemens SIMATIC HMI Comfort Panels | <16 | 16 |
| Siemens SIMATIC HMI Mobile Panels | <16 | 16 |
| Siemens SIMATIC WinCC Runtime Advanced | <16 | 16 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://cert-portal.siemens.com/productcert/pdf/ssa-286838.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-927095.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-940818.pdf
- https://ics-cert.kaspersky.com/advisories/klcert-advisories/2019/03/01/klcert-19-022-ultravnc-improper-null-termination/
- https://us-cert.cisa.gov/ics/advisories/icsa-21-131-11
- https://www.us-cert.gov/ics/advisories/icsa-20-161-06
- https://www.cisa.gov/news-events/ics-advisories/icsa-21-131-04 (Advisory)
- https://www.cisa.gov/news-events/ics-advisories/icsa-21-131-11 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2019-8275?
CVE-2019-8275 is classified as a high severity vulnerability due to the potential for attackers to exploit it remotely.
How do I fix CVE-2019-8275?
To fix CVE-2019-8275, update to UltraVNC revision 1212 or a later version.
What are the affected versions for CVE-2019-8275?
CVE-2019-8275 affects UltraVNC versions up to 1.2.2.3 and several Siemens products including various SIMATIC and SINAMICS systems.
Can CVE-2019-8275 be exploited remotely?
Yes, CVE-2019-8275 can be exploited remotely due to improper null termination vulnerabilities.
What type of vulnerability is CVE-2019-8275?
CVE-2019-8275 is characterized by multiple improper null termination vulnerabilities leading to out-of-bounds data access.
- agent/type
- agent/weakness
- agent/references
- agent/severity
- agent/description
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- collector/ics-cert-advisory
- source/ICS
- vendor/uvnc
- canonical/ultravnc
- vendor/siemens
- canonical/siemens sinumerik access mymachine/p2p
- canonical/siemens sinumerik pcu base win10 software
- canonical/siemens sinumerik pcu base win7 software/ipc
- version/siemens sinumerik pcu base win7 software/ipc/12.01
- canonical/siemens sinamics gh150
- canonical/siemens sinamics gl150 firmware
- canonical/siemens sinamics gm150 (with option x30)
- canonical/siemens sinamics sh150 firmware
- canonical/siemens sinamics sl150
- canonical/siemens sinamics sm120
- canonical/siemens sinamics sm150 firmware
- canonical/siemens sinamics sm150i firmware
- canonical/siemens simatic hmi comfort outdoor panels 7’ and 15’ (incl. siplus variants) update 4
- canonical/siemens simatic hmi comfort panels
- canonical/siemens simatic hmi mobile panels
- canonical/siemens simatic wincc runtime advanced