CVE-2023-47359: VLC Media Player Buffer Overflow Vulnerability

VideoLAN has released VLC Media Player 3.0.20 and it is now available for Windows, Mac, and Linux. This update is not just about enhancing user experience through bug fixes; it’s a critical shield against two high-risk security vulnerabilities.

The first of the two vulnerabilities patched in this release, identified as CVE-2023-47359, carries a high CVSS score of 9.8. This flaw, a Heap-Based Buffer Overflow within the `GetPacket()` function, could lead to severe memory corruption. A buffer overflow allows attackers to execute arbitrary code and gain unauthorized access to the user’s system.

The second vulnerability, CVE-2023-47360, is an Integer underflow resulting in incorrect packet length. With a CVSS score of 7.5, it may seem less severe than its counterpart, but it remains a significant concern. Integer underflow, especially in media players, can lead to unexpected behaviors, including application crashes or, in worst-case scenarios, a doorway for attackers to exploit the system.

Interestingly, both vulnerabilities are rooted in an old protocol, the Microsoft Media Server (MMS). MMS, initially designed for unicast data transfer in Windows Media Services, utilizes UDP or TCP for data transmission, typically through port UDP/TCP 1755. The discovery of these flaws in such an established protocol highlights the enduring challenge of securing legacy systems in modern software.

Security researcher 0xariana has been credited for finding these flaws. 0xariana also published detailed technical insights into these flaws, providing invaluable information for users and developers alike.

VLC Media Player 3.0.20 is more than just an update; it is a vital corrective measure against potentially devastating security risks. For users, the message is clear: updating to the latest version is not just recommended; it is essential for continued secure use.