The security flaw CVE-2019-13615 termed as “critical” was identified by Germany’s national Computer Emergency Response Team (CERT Bund). The vulnerability affects version 3.0.7.1 in Linux, UNIX and Windows versions of VLC media player as claimed by the researcher. The vulnerability allows for RCE (remote code execution) which potentially allows hackers to install, run and execute malicious code or modify files/data on target machines without the user’s consent. It could also be used to disclose files on the host system. The flaw reportedly requires the user to play a malicious MKV video file, which is then said to crash and compromise the VLC player. CERT-Bund gave a base vulnerability score of 9.8 out of 10 in the NIST’s National Vulnerability Database. According to VLC lead developer Jean-Baptiste Kempf, the bug has been open on the VideoLAN website for the past four weeks. However, the issue isn’t reproducible and doesn’t crash a normal release of VLC 3.0.7.1, added Kempf. Francois Cartegnie from VideoLAN warns: If you land on this ticket through a news article claiming a critical flaw in VLC, I suggest you to read the above comment first and reconsider your (fake) news sources. Twitter handle of the VideoLAN team also slammed the CVE team and MITRE for sharing news of the vulnerability:
— VideoLAN (@videolan) July 23, 2019
— VideoLAN (@videolan) July 23, 2019 Earlier this morning, VideoLAN took to Twitter to clarify that VLC is not vulnerable as reported by CERT-Bund. According to the makers of VLC, the issue was in a 3rd party library called “libebml”, which was fixed more than 16 months ago. It also added VLC since version 3.0.3 has the corrected version, and MITRE’s claim was based on a previous outdated version of VLC.
Thread: — VideoLAN (@videolan) July 24, 2019 The VLC issue has now been downgraded from a 9.8 to a 5.5 vulnerability score on the National Vulnerability Database specifying that the “Victim must voluntarily interact with attack mechanism”. The related entry in VideoLAN’s public bug tracker also lists the issue as fixed. Reacting on the press reports that claimed VLC media player is vulnerable, Kempf said: “It’s insane. People are saying, ‘You need to uninstall VLC’. It’s the usual people who don’t check their facts.” In other words, there is no need to uninstall VLC media player, as VideoLAN has already released a patch to fix the security flaw. However, it is advisable to ensure that the software is always regularly updated. Additionally, avoid playing an untrusted MKV format file on the media player. The current version of VLC is 3.0.7.1.