CVE-2023-46814 – A binary hijacking vulnerability in VLC media p... (How to Fix)

Q: What is the severity of CVE-2023-46814?

CVE-2023-46814 has a CVSS score of 7.8 (HIGH). A binary hijacking vulnerability in VLC media player's uninstaller on Windows allows standard users to execute arbitrary code with SYSTEM privileges. This occurs because the uninstaller runs with elevated permissions from a location where standard users can write files. Users running VLC before version 3.0.19 on Windows are affected.

📋 TL;DR

A binary hijacking vulnerability in VLC media player's uninstaller on Windows allows standard users to execute arbitrary code with SYSTEM privileges. This occurs because the uninstaller runs with elevated permissions from a location where standard users can write files. Users running VLC before version 3.0.19 on Windows are affected.

💻 Affected Systems

Products:

VideoLAN VLC media player

Versions: All versions before 3.0.19

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Windows installations. Requires standard user to have write access to the uninstaller location.

📦 What is this software?

Vlc Media Player by Videolan

View all CVEs affecting Vlc Media Player →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Standard user gains full SYSTEM privileges, enabling complete system compromise, data theft, malware installation, and persistence establishment.

🟠

Likely Case

Standard user escalates privileges to SYSTEM, potentially installing additional malware or accessing sensitive system resources.

🟢

If Mitigated

With proper user privilege separation and application control, impact is limited to the user's own account scope.

🌐 Internet-Facing: LOW

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access and standard user privileges. The vulnerability is in the uninstaller process flow.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.19 and later

Vendor Advisory: https://www.videolan.org/security/sb-vlc3019.html

Restart Required: No

Instructions:

1. Download VLC 3.0.19 or later from videolan.org. 2. Run the installer to upgrade. 3. Verify version in Help > About.

🔧 Temporary Workarounds

Remove vulnerable VLC versions

windows

Uninstall VLC versions before 3.0.19 from affected Windows systems.

Control Panel > Programs > Uninstall a program > Select VLC > Uninstall

Restrict write permissions

windows

Remove standard user write permissions to VLC installation directory.

icacls "C:\Program Files\VideoLAN\VLC" /deny Users:(OI)(CI)W

🧯 If You Can't Patch

Remove VLC from systems where it's not essential
Implement application control to block execution of unauthorized binaries

🔍 How to Verify

Check if Vulnerable:

Check VLC version in Help > About. If version is below 3.0.19, system is vulnerable.

Check Version:

"C:\Program Files\VideoLAN\VLC\vlc.exe" --version

Verify Fix Applied:

Confirm VLC version is 3.0.19 or higher in Help > About.

📡 Detection & Monitoring

Log Indicators:

Windows Event Logs showing VLC uninstaller execution with SYSTEM privileges
Process creation events for vlc.exe with elevated privileges

Network Indicators:

None - this is a local privilege escalation vulnerability

SIEM Query:

EventID=4688 AND NewProcessName LIKE '%vlc%' AND SubjectUserName='SYSTEM'

📊 Metadata

CVE ID: CVE-2023-46814

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-427

Published: November 22, 2023

Last Updated: November 21, 2024

🔗 References

https://www.videolan.org/security/sb-vlc3019.html Vendor Advisory
https://www.videolan.org/security/sb-vlc3019.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-46814, you might also want to check these: