SB2017051104 - Two remote code execution vulnerabilities in Power Software PowerISO
Published: May 11, 2017
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Stack-based buffer overflow (CVE-ID: CVE-2017-2817)
CWE-ID: CWE-121 - Stack-based buffer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote unauthenticated user to execute arbitrary code on the target system.
The weakness exists due to stack-based buffer overflow in the ISO parsing functionality of Power Software Ltd PowerISO. A remote attacker can send a specially crafted ISO file, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability result in arbitrary code execution.
2) Use-after-free error (CVE-ID: CVE-2017-2823)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote unauthenticated user to execute arbitrary code on the target system.
The weakness exists due to use-after-free error in the ISO parsing functionality of Power Software Ltd PowerISO. A remote attacker can send a specially crafted ISO file, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability result in arbitrary code execution.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.