Vulnerabilities > CVE-2018-17141 - Out-of-bounds Write vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
HylaFAX 6.0.6 and HylaFAX+ 5.6.0 allow remote attackers to execute arbitrary code via a dial-in session that provides a FAX page with the JPEG bit enabled, which is mishandled in FaxModem::writeECMData() in the faxd/CopyQuality.c++ file.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 2 | |
| Application | 2 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1515.NASL description Luis Merino, Markus Vervier and Eric Sesterhenn discovered that missing input sanitising in the Hylafax fax software could potentially result in the execution of arbitrary code via a malformed fax message. For Debian 8 last seen 2020-06-01 modified 2020-06-02 plugin id 117642 published 2018-09-24 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117642 title Debian DLA-1515-1 : hylafax security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-1515-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(117642); script_version("1.2"); script_cvs_date("Date: 2018/11/16 15:19:25"); script_cve_id("CVE-2018-17141"); script_name(english:"Debian DLA-1515-1 : hylafax security update"); script_summary(english:"Checks dpkg output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "Luis Merino, Markus Vervier and Eric Sesterhenn discovered that missing input sanitising in the Hylafax fax software could potentially result in the execution of arbitrary code via a malformed fax message. For Debian 8 'Jessie', this problem has been fixed in version 3:6.0.6-6+deb8u1. We recommend that you upgrade your hylafax packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2018/09/msg00026.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/jessie/hylafax" ); script_set_attribute(attribute:"solution", value:"Upgrade the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:hylafax-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:hylafax-client-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:hylafax-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:hylafax-server-dbg"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0"); script_set_attribute(attribute:"patch_publication_date", value:"2018/09/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/09/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"8.0", prefix:"hylafax-client", reference:"3:6.0.6-6+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"hylafax-client-dbg", reference:"3:6.0.6-6+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"hylafax-server", reference:"3:6.0.6-6+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"hylafax-server-dbg", reference:"3:6.0.6-6+deb8u1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Fedora Local Security Checks NASL id FEDORA_2018-11B966722A.NASL description HylaFAX+ 5.6.1 ============== - address CVE-2018-17141, fixes JPEG vulnerabilities (18 Sep 2018) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-09-27 plugin id 117716 published 2018-09-27 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117716 title Fedora 27 : hylafax+ (2018-11b966722a) NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-1027.NASL description This update for hylafax+ fixes the following issues : Security issues fixed in 5.6.1 : - CVE-2018-17141: multiple vulnerabilities affecting fax page reception in JPEG format Specially crafted input may have allowed remote execution of arbitrary code (boo#1109084) Additionally, this update also contains all upstream corrections and bugfixes in the 5.6.1 version, including : - fix RFC2047 encoding by notify - add jobcontrol PageSize feature - don last seen 2020-06-05 modified 2018-09-24 plugin id 117658 published 2018-09-24 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117658 title openSUSE Security Update : hylafax+ (openSUSE-2018-1027) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4298.NASL description Luis Merino, Markus Vervier and Eric Sesterhenn discovered that missing input sanitising in the Hylafax fax software could potentially result in the execution of arbitrary code via a malformed fax message. last seen 2020-06-01 modified 2020-06-02 plugin id 117621 published 2018-09-21 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117621 title Debian DSA-4298-1 : hylafax - security update NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-711.NASL description This update for hylafax+ fixes the following issues : Security issues fixed in 5.6.1 : - CVE-2018-17141: multiple vulnerabilities affecting fax page reception in JPEG format Specially crafted input may have allowed remote execution of arbitrary code (boo#1109084) Additionally, this update also contains all upstream corrections and bugfixes in the 5.6.1 version, including : - fix RFC2047 encoding by notify - add jobcontrol PageSize feature - don last seen 2020-05-31 modified 2019-03-27 plugin id 123309 published 2019-03-27 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123309 title openSUSE Security Update : hylafax+ (openSUSE-2019-711) NASL family Fedora Local Security Checks NASL id FEDORA_2018-37A27807E0.NASL description HylaFAX+ 5.6.1 ============== - address CVE-2018-17141, fixes JPEG vulnerabilities (18 Sep 2018) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2019-01-03 plugin id 120350 published 2019-01-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120350 title Fedora 28 : hylafax+ (2018-37a27807e0) NASL family Fedora Local Security Checks NASL id FEDORA_2018-B21354B100.NASL description HylaFAX+ 5.6.1 ============== - address CVE-2018-17141, fixes JPEG vulnerabilities (18 Sep 2018) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2019-01-03 plugin id 120718 published 2019-01-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120718 title Fedora 29 : hylafax+ (2018-b21354b100) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_3DF5A9206EDC11E9A44B0050562A4D7B.NASL description A malicious sender that sets both JPEG and MH,MR,MMR or JBIG in the same DCS signal or sends a large JPEG page could lead to remote code execution. last seen 2020-06-01 modified 2020-06-02 plugin id 124608 published 2019-05-06 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124608 title FreeBSD : comms/hylafax -- Malformed fax sender remote code execution in JPEG support (3df5a920-6edc-11e9-a44b-0050562a4d7b)
References
- https://www.x41-dsec.de/lab/advisories/x41-2018-008-hylafax/
- https://seclists.org/bugtraq/2018/Sep/49
- http://www.openwall.com/lists/oss-security/2018/09/20/1
- https://www.debian.org/security/2018/dsa-4298
- https://lists.debian.org/debian-lts-announce/2018/09/msg00026.html
- http://git.hylafax.org/HylaFAX?a=commit%3Bh=c6cac8d8cd0dbe313689ba77023e12bc5b3027be