'Critical' vulnerability in VLC Media Player downgraded after VideoLAN claims the flaw was fixed 16 months ago

Reporter, MITRE and CERT-Bund all criticised for failing to check security flaw before issuing warnings

A ‘critical' security flaw in VLC Media Player has been downgraded after the organisation behind the popular app claimed that the issue had already been fixed.

The NIST National Vulnerability Database has slashed its rating for CVE-2019-13615 from 9.8 to 5.5 and "is awaiting re-analysis which may result in further changes to the information provided" after VideoLAN, the not-for-profit open-source organisation behind VLC Media Player, complained that the advisories and associated CVEs were wrong.

Taking to Twitter, VideoLAN blamed a reporter for running VLC on an old version of Ubuntu with out-of-date libraries, and security firm MITRE for issuing a CVE before the reporter's claims could be examined by VideoLAN.

https://twitter.com/videolan/status/1153963312981389312?ref\\_src=twsrc%5Etfw

The issue highlighted by the researcher, VideoLAN claims, lies in a third-party library that was fixed more than 16 months ago. "VLC since version 3.0.3 has the correct version shipped and MITRE did not even check their claim," VideoLAN tweeted.

The company went on to explain that the reporter who claimed to have uncovered the problem was running Ubuntu 18.04 - the latest long-term release is 18.04.2 and the most up-to-date version is 19.04 - without all the associated libraries updated. Instead of emailing the company, the reporter filed a bug on the organisation's bug tracker - which is public.

"We could not, of course reproduce the issue, and tried to contact the security researcher, in private," the company added. At the same time, MITRE picked up the bug report and issued a CVE without talking to VideoLAN first.

This, it claimed, not only contravenes MITRE's own policies, but is also not the first time that it has done that, VideoLAN claimed. "This has been going on for years: almost all CVEs on VLC have completely insane CVSS [severity ratings]," it added.

"Any non-exploitable read overflow gets CVSS of 9.8, like VLC is a server and you could do RCE and compromise the machine, while most of the time, the issue is a crash, often not exploitable, from a local file that the user HAS to open manually. And, of course, they are never corrected."

However, the issue blew up when Germany's Computer Emergency Response Team (CERT-Bund) issued its own advisory without, VideoLAN claimed, even trying to reproduce the flaw or contacting VideoLAN.

"Would @MITREcorp behave the same way if we were Microsoft or another big company? But, no, we're just a small non-profit, that does not even have the money to pay someone full-time..."

As a result of VideoLAN's justified complaints the CVE rating was slashed, with the possibility of a further downgrade.

While the VideoLAN security flaw was almost certainly overblown, this week also saw more serious warnings over vulnerabilities in widely used corporate VPNs and new exploits for Windows based on the 'Bluekeep' security flaw.