UltraVNC < 1.2.2.4 Multiple Vulnerabilities

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(252271);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/08/19");

  script_cve_id(
    'CVE-2018-15361',
    'CVE-2019-8258',
    'CVE-2019-8259',
    'CVE-2019-8260',
    'CVE-2019-8261',
    'CVE-2019-8262',
    'CVE-2019-8263',
    'CVE-2019-8264',
    'CVE-2019-8265',
    'CVE-2019-8266',
    'CVE-2019-8267',
    'CVE-2019-8268',
    'CVE-2019-8269',
    'CVE-2019-8270',
    'CVE-2019-8271',
    'CVE-2019-8272',
    'CVE-2019-8273',
    'CVE-2019-8274',
    'CVE-2019-8275',
    'CVE-2019-8276',
    'CVE-2019-8277',
    'CVE-2019-8280'
  );

  script_name(english:"UltraVNC < 1.2.2.4 Multiple Vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"A remote desktop application installed on the remote Windows host is affected by a multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of UltraVNC Service installed on the remote Windows host is prior to 1.2.2.4. It is, therefore, affected
by multiple vulnerabilities:

  - UltraVNC revision 1203 has out-of-bounds access vulnerability in VNC client inside RAW decoder, which can potentially 
    result code execution. This attack appear to be exploitable via network connectivity. This vulnerability has been 
    fixed in revision 1204. (CVE-2019-8280)
  
  - UltraVNC revision 1211 has multiple improper null termination vulnerabilities in VNC server code, which result in 
    out-of-bound data being accessed by remote users. This attack appears to be exploitable via network connectivity. 
    These vulnerabilities have been fixed in revision 1212. (CVE-2019-8275)
  
  - UltraVNC revision 1211 has a heap buffer overflow vulnerability in VNC server code inside file transfer offer 
    handler, which can potentially in result code execution. This attack appears to be exploitable via network 
    connectivity. This vulnerability has been fixed in revision 1212. (CVE-2019-8274)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-927095.pdf");
  script_set_attribute(attribute:"solution", value:
"Upgrade to UltraVNC version 1.2.2.4 or later.");

  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-8280");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/03/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/03/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/08/19");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:ultravnc:ultravnc");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ultravnc_win_installed.nbin");
  script_require_keys("SMB/Registry/Enumerated", "installed_sw/UltraVNC");

  exit(0);
}

include('vcf.inc');

get_kb_item_or_exit('SMB/Registry/Enumerated');

var app_info = vcf::get_app_info(app:'UltraVNC', win_local:TRUE);

if (!app_info['Server'])
  audit(AUDIT_HOST_NOT, 'affected due to the UltraVNC server component not being installed');

if (!app_info['Service'])
  audit(AUDIT_HOST_NOT, 'affected due to UltraVNC not being configured to run as a service');

var constraints = [
  { 'fixed_version' : '1.2.2.4' }
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);