VideoLAN released version 3.0.7 including 33 security fixes of which 2 are high-security issues. The most severe issue, CVE-2019-5439 can allow attackers to gain access to, and control of the devices based on the user rights running VLC Player.
VLC Media Player is the most popular media player and replaces the default operating system media players in many companies. It replaces built-in media players like Windows Media Players both because of its usability and rich feature set. Recently a critical remote code execution vulnerability in the LIVE555 media streaming library of VLC media player was discovered. Jean-Baptiste Kempf, president of VideoLAN detailed in a blog post how a large number of security issues were detected. This is possible thanks to the sponsoring of a bug bounty program funded by the European Commission. The bug bounty program resulted in the discovery and fixing of:
- 2 high-security issues
- 21 medium-security issues
- 10 low-security issues
CVE-2019-5439, one of the high-security issues, is a buffer overflow issue that can be further exploited up to a point where remote code execution is possible. This could result in an attacker installing programs, view, change or delete data and even create new user accounts with full user rights. However, the amount of access an attacker has depends on the security context VLC Player is run in. Meaning a user with fewer rights will reduce the access a successful attacker can have.
Audit Your Network for Vulnerable VLC Player Installations
If you do have VLC Software in your environment, which is very likely. Update your VLC Player to version 3.0.7 or higher to prevent any exposure to this vulnerability. Our custom color-coded vulnerability report can tell you in no time which devices have a vulnerable VLC Player version and need to be patched. You can even deploy the latest version using Lansweeper's deployment feature.
Update: Thanks to one of our community members, a deployment package is now available.
If you haven't already, start your free Lansweeper trial and get a list of all Windows, Linux or Mac computers with a vulnerable VLC Player versions in no time.