NewStart CGSL CORE 5.04 / MAIN 5.04 : libtiff Multiple Vulnerabilities (NS-SA-2019-0185)
high Nessus Plugin ID 129913
Language:
New! Plugin Severity Now Using CVSS v3
The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.
Synopsis
The remote machine is affected by multiple vulnerabilities.Description
The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has libtiff packages installed that are affected by multiple vulnerabilities:- Buffer overflow in the readextension function in gif2tiff.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (application crash) via a crafted GIF file. (CVE-2016-3186)
- Heap-based buffer overflow in the cpSeparateBufToContigBuf function in tiffcp.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (crash) or possibly have unspecified other impact via a crafted TIFF file. (CVE-2018-12900)
- The TIFFWriteDirectorySec() function in tif_dirwrite.c in LibTIFF through 4.0.9 allows remote attackers to cause a denial of service (assertion failure and application crash) via a crafted file, a different vulnerability than CVE-2017-13726. (CVE-2018-10963)
- TIFFWriteScanline in tif_write.c in LibTIFF 3.8.2 has a heap-based buffer over-read, as demonstrated by bmp2tiff. (CVE-2018-10779)
- In LibTIFF 4.0.9, a heap-based buffer overflow occurs in the function LZWDecodeCompat in tif_lzw.c via a crafted TIFF file, as demonstrated by tiff2ps. (CVE-2018-8905)
- A NULL Pointer Dereference occurs in the function TIFFPrintDirectory in tif_print.c in LibTIFF 4.0.9 when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013. (This affects an earlier part of the TIFFPrintDirectory function that was not addressed by the CVE-2017-18013 patch.) (CVE-2018-7456)
- An issue was discovered in LibTIFF 4.0.9. There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file.
(CVE-2018-17100)
- An issue was discovered in LibTIFF 4.0.9. There are two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file. (CVE-2018-17101)
- LibTIFF 4.0.9 (with JBIG enabled) decodes arbitrarily- sized JBIG into a buffer, ignoring the buffer size, which leads to a tif_jbig.c JBIGDecode out-of-bounds write. (CVE-2018-18557)
- An issue was discovered in LibTIFF 4.0.9. There is a NULL pointer dereference in the function LZWDecode in the file tif_lzw.c. (CVE-2018-18661)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Upgrade the vulnerable CGSL libtiff packages. Note that updated packages may not be available yet. Please contact ZTE for more information.See Also
Plugin Details
Severity: High
ID: 129913
File Name: newstart_cgsl_NS-SA-2019-0185_libtiff.nasl
Version: 1.4
Type: local
Published: 10/15/2019
Updated: 1/14/2021
Dependencies: ssh_get_info.nasl
Risk Information
CVSS Score Source: CVE-2018-8905
VPR
Risk Factor: Medium
Score: 6.7
CVSS v2
Risk Factor: Medium
Base Score: 6.8
Temporal Score: 5.3
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Temporal Vector: E:POC/RL:OF/RC:C
CVSS v3
Risk Factor: High
Base Score: 8.8
Temporal Score: 7.9
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Temporal Vector: E:P/RL:O/RC:C
Vulnerability Information
Required KB Items: Host/local_checks_enabled, Host/ZTE-CGSL/release, Host/ZTE-CGSL/rpm-list, Host/cpu
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 10/14/2019
Vulnerability Publication Date: 4/19/2016
Reference Information
CVE: CVE-2016-3186, CVE-2018-7456, CVE-2018-8905, CVE-2018-10779, CVE-2018-10963, CVE-2018-12900, CVE-2018-17100, CVE-2018-17101, CVE-2018-18557, CVE-2018-18661