silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,159
Vulnerabilities that Videolabs recently addressed in its libmicrodns library could lead to denial of service (DoS) and arbitrary code execution, Cisco Talos’ security researchers warn.
A company founded by VideoLAN members, Videolabs is the current editor of the VLC mobile applications and also an important contributor to the VLC media player. The libmicrodns mDNS resolver cross-platform library is used in the VLC media player for mDNS service discovery.
The most severe of the newly discovered vulnerabilities is an exploitable remote code execution bug in the label-parsing functionality of the library. It is tracked as CVE-2020-6072 and has a CVSS score of 9.8.
“When parsing compressed labels in mDNS messages, the `rr_decode` function's return value is not checked, leading to a double free that could be exploited to execute arbitrary code. An attacker can send an mDNS message to trigger this vulnerability,” Talos explains.