Vulnerabilities > CVE-2018-17000 - NULL Pointer Dereference vulnerability in multiple products

047910
CVSS 6.5 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
libtiff
debian
canonical
CWE-476
nessus

Summary

A NULL pointer dereference in the function _TIFFmemcmp at tif_unix.c (called from TIFFWriteDirectoryTagTransferfunction) in LibTIFF 4.0.9 allows an attacker to cause a denial-of-service through a crafted tiff file. This vulnerability can be triggered by the executable tiffcp.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-1161.NASL
    descriptionThis update for tiff fixes the following issues : Security issues fixed : - CVE-2018-19210: Fixed a NULL pointer dereference in TIFFWriteDirectorySec function (bsc#1115717). - CVE-2018-17000: Fixed a NULL pointer dereference in the _TIFFmemcmp function (bsc#1108606). - CVE-2019-6128: Fixed a memory leak in the TIFFFdOpen function in tif_unix.c (bsc#1121626). - CVE-2019-7663: Fixed an invalid address dereference in the TIFFWriteDirectoryTagTransfer function in libtiff/tif_dirwrite.c (bsc#1125113) This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-06-01
    modified2020-06-02
    plugin id123816
    published2019-04-08
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123816
    titleopenSUSE Security Update : tiff (openSUSE-2019-1161)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2019-1161.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(123816);
      script_version("1.2");
      script_cvs_date("Date: 2020/01/23");
    
      script_cve_id("CVE-2018-17000", "CVE-2018-19210", "CVE-2019-6128", "CVE-2019-7663");
    
      script_name(english:"openSUSE Security Update : tiff (openSUSE-2019-1161)");
      script_summary(english:"Check for the openSUSE-2019-1161 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for tiff fixes the following issues :
    
    Security issues fixed :
    
      - CVE-2018-19210: Fixed a NULL pointer dereference in
        TIFFWriteDirectorySec function (bsc#1115717). 
    
      - CVE-2018-17000: Fixed a NULL pointer dereference in the
        _TIFFmemcmp function (bsc#1108606).
    
      - CVE-2019-6128: Fixed a memory leak in the TIFFFdOpen
        function in tif_unix.c (bsc#1121626).
    
      - CVE-2019-7663: Fixed an invalid address dereference in
        the TIFFWriteDirectoryTagTransfer function in
        libtiff/tif_dirwrite.c (bsc#1125113)
    
    This update was imported from the SUSE:SLE-15:Update update project."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1108606"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1115717"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1121626"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1125113"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected tiff packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtiff-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtiff-devel-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtiff5");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtiff5-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtiff5-32bit-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtiff5-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:tiff");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:tiff-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:tiff-debugsource");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/09/13");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/04/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/04/08");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE15\.0)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.0", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE15.0", reference:"libtiff-devel-4.0.9-lp150.4.16.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"libtiff5-4.0.9-lp150.4.16.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"libtiff5-debuginfo-4.0.9-lp150.4.16.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"tiff-4.0.9-lp150.4.16.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"tiff-debuginfo-4.0.9-lp150.4.16.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"tiff-debugsource-4.0.9-lp150.4.16.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", cpu:"x86_64", reference:"libtiff-devel-32bit-4.0.9-lp150.4.16.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", cpu:"x86_64", reference:"libtiff5-32bit-4.0.9-lp150.4.16.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", cpu:"x86_64", reference:"libtiff5-32bit-debuginfo-4.0.9-lp150.4.16.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libtiff-devel / libtiff5 / libtiff5-debuginfo / tiff / etc");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-3058-1.NASL
    descriptionThis update for tiff fixes the following issues : Security issues fixed : CVE-2019-14973: Fixed an improper check which was depended on the compiler which could have led to integer overflow (bsc#1146608). CVE-2016-5102: Fixed a buffer overflow in readgifimage() (bsc#983268) CVE-2018-17000: Fixed a NULL pointer dereference in the _TIFFmemcmp function (bsc#1108606). CVE-2019-6128: Fixed a memory leak in the TIFFFdOpen function in tif_unix.c (bsc#1121626). CVE-2019-7663: Fixed an invalid address dereference in the TIFFWriteDirectoryTagTransfer function in libtiff/tif_dirwrite.c (bsc#1125113) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id131308
    published2019-11-26
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131308
    titleSUSE SLED12 / SLES12 Security Update : tiff (SUSE-SU-2019:3058-1)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1680.NASL
    descriptionBrief introduction CVE-2018-17000 A NULL pointer dereference in the function _TIFFmemcmp at tif_unix.c (called from TIFFWriteDirectoryTagTransferfunction) allows an attacker to cause a denial of service through a crafted tiff file. This vulnerability can be triggered by the executable tiffcp. CVE-2018-19210 There is a NULL pointer dereference in the TIFFWriteDirectorySec function in tif_dirwrite.c that will lead to a denial of service attack, as demonstrated by tiffset. CVE-2019-7663 An Invalid Address dereference was discovered in TIFFWriteDirectoryTagTransferfunction in libtiff/tif_dirwrite.c, affecting the cpSeparateBufToContigBuf function in tiffcp.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tiff file. We believe this is the same as CVE-2018-17000 (above). For Debian 8
    last seen2020-06-01
    modified2020-06-02
    plugin id122265
    published2019-02-19
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122265
    titleDebian DLA-1680-1 : tiff security update
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4670.NASL
    descriptionSeveral vulnerabilities have been found in the TIFF library, which may result in denial of service or the execution of arbitrary code if malformed image files are processed.
    last seen2020-05-06
    modified2020-04-30
    plugin id136127
    published2020-04-30
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136127
    titleDebian DSA-4670-1 : tiff - security update
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3906-1.NASL
    descriptionIt was discovered that LibTIFF incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id122811
    published2019-03-13
    reporterUbuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122811
    titleUbuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : tiff vulnerabilities (USN-3906-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-0786-1.NASL
    descriptionThis update for tiff fixes the following issues : Security issues fixed : CVE-2018-19210: Fixed a NULL pointer dereference in TIFFWriteDirectorySec function (bsc#1115717). CVE-2018-17000: Fixed a NULL pointer dereference in the _TIFFmemcmp function (bsc#1108606). CVE-2019-6128: Fixed a memory leak in the TIFFFdOpen function in tif_unix.c (bsc#1121626). CVE-2019-7663: Fixed an invalid address dereference in the TIFFWriteDirectoryTagTransfer function in libtiff/tif_dirwrite.c (bsc#1125113) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id123497
    published2019-03-29
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123497
    titleSUSE SLED15 / SLES15 Security Update : tiff (SUSE-SU-2019:0786-1)