Lucene search
This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.DEBIAN_DLA-3216.NASLHistoryDec 03, 2022 - 12:00 a.m.
Debian DLA-3216-1 : vlc - LTS security update
2022-12-0300:00:00
This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
8
debian 10
integer overflow vulnerability
videolan vlc media player
crafted playlist
rogue vnc server
nessus scanner
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
45.2%
The remote Debian 10 host has a package installed that is affected by a vulnerability as referenced in the dla-3216 advisory.
- An integer overflow in the VNC module in VideoLAN VLC Media Player through 3.0.17.4 allows attackers, by tricking a user into opening a crafted playlist or connecting to a rogue VNC server, to crash VLC or execute code under some conditions. (CVE-2022-41325)
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
#
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory dla-3216. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#
include('compat.inc');
if (description)
{
script_id(168386);
script_version("1.6");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/09/20");
script_cve_id("CVE-2022-41325");
script_name(english:"Debian DLA-3216-1 : vlc - LTS security update");
script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing a security-related update.");
script_set_attribute(attribute:"description", value:
"The remote Debian 10 host has a package installed that is affected by a vulnerability as referenced in the dla-3216
advisory.
- An integer overflow in the VNC module in VideoLAN VLC Media Player through 3.0.17.4 allows attackers, by
tricking a user into opening a crafted playlist or connecting to a rogue VNC server, to crash VLC or
execute code under some conditions. (CVE-2022-41325)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/vlc");
script_set_attribute(attribute:"see_also", value:"https://www.debian.org/lts/security/2022/dla-3216");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-41325");
script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/buster/vlc");
script_set_attribute(attribute:"solution", value:
"Upgrade the vlc packages.
For Debian 10 buster, this problem has been fixed in version 3.0.17.4-0+deb10u2.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-41325");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2022/12/03");
script_set_attribute(attribute:"patch_publication_date", value:"2022/12/03");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/12/03");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:vlc");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:10.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Debian Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
var debian_release = get_kb_item('Host/Debian/release');
if ( isnull(debian_release) ) audit(AUDIT_OS_NOT, 'Debian');
debian_release = chomp(debian_release);
if (! preg(pattern:"^(10)\.[0-9]+", string:debian_release)) audit(AUDIT_OS_NOT, 'Debian 10.0', 'Debian ' + debian_release);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);
var pkgs = [
{'release': '10.0', 'prefix': 'vlc', 'reference': '3.0.17.4-0+deb10u2'}
];
var flag = 0;
foreach package_array ( pkgs ) {
var _release = NULL;
var prefix = NULL;
var reference = NULL;
if (!empty_or_null(package_array['release'])) _release = package_array['release'];
if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (_release && prefix && reference) {
if (deb_check(release:_release, prefix:prefix, reference:reference)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : deb_report_get()
);
exit(0);
}
else
{
var tested = deb_pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'vlc');
}
| Vendor | Product | Version | CPE |
|---|---|---|---|
| debian | debian_linux | vlc | p-cpe:/a:debian:debian_linux:vlc |
| debian | debian_linux | 10.0 | cpe:/o:debian:debian_linux:10.0 |
Related
nvd
nvd
CVE-2022-41325
2022-12-06 16:15:11
redos
redos
ROS-20221207-02
2022-12-07 00:00:00
debiancve
debiancve
CVE-2022-41325
2022-12-06 16:15:11
cve
cve
CVE-2022-41325
2022-12-06 16:15:11
debian
debian
[SECURITY] [DLA 3216-1] vlc security update
2022-12-02 23:11:31
[SECURITY] [DSA 5297-1] vlc security update
2022-12-06 21:12:41
nessus
nessus
openSUSE 15 Security Update : vlc (openSUSE-SU-2022:10255-1)
2023-01-01 00:00:00
Debian DSA-5297-1 : vlc - security update
2022-12-07 00:00:00
openSUSE 15 Security Update : vlc (openSUSE-SU-2023:0366-1)
2023-11-14 00:00:00
veracode
veracode
Integer Overflow
2022-12-11 02:03:56
osv
osv
vlc - security update
2022-12-03 00:00:00
vlc - security update
2022-12-06 00:00:00
vlc vulnerabilities
2023-06-20 19:47:23
prion
prion
Integer overflow
2022-12-06 16:15:00
cvelist
cvelist
CVE-2022-41325
2022-12-06 00:00:00
ubuntucve
ubuntucve
CVE-2022-41325
2022-12-06 00:00:00
openvas
openvas
Debian: Security Advisory (DSA-5297-1)
2022-12-07 00:00:00
Debian: Security Advisory (DLA-3216-1)
2022-12-03 00:00:00
openSUSE: Security Advisory for vlc (openSUSE-SU-2023:0366-1)
2024-03-04 00:00:00
alpinelinux
alpinelinux
CVE-2022-41325
2022-12-06 16:15:11
ubuntu
ubuntu
VLC media player vulnerabilities
2023-06-20 00:00:00
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
45.2%
Related for DEBIAN_DLA-3216.NASL