Remote code execution in WavPack
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2018-10538 CVE-2018-10539 CVE-2018-10540 CVE-2018-10536 CVE-2018-10537 |
| CWE-ID | CWE-190 CWE-787 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #4 is available. Public exploit code for vulnerability #5 is available. |
| Vulnerable software Subscribe |
WavPack Client/Desktop applications / Multimedia software |
| Vendor | wavpack |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Buffer overflow
EUVDB-ID: #VU12361
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-10538
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error within ParseRiffHeaderConfig function in riff.c when processing WAV files. A remote unauthenticated attacker can create a specially crafted WAV file, trick the victim into opening it and trigger integer overflow in bytes_to_copy calculation and subsequent malloc call
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall patch from vendor's website:
https://github.com/dbry/WavPack/commit/6f8bb34c2993a48ab9afbe353e6d0cff7c8d821d
WavPack: 4.1 - 5.1.0
External linkshttp://github.com/dbry/WavPack/issues/33
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Buffer overflow
EUVDB-ID: #VU12362
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-10539
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error within ParseDsdiffHeaderConfig function in dsdiff.c when processing WAV files. A remote unauthenticated attacker can create a specially crafted WAV file, trick the victim into opening it and trigger integer overflow in bytes_to_copy calculation and subsequent malloc call
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall patch from vendor's website:
https://github.com/dbry/WavPack/commit/6f8bb34c2993a48ab9afbe353e6d0cff7c8d821d
WavPack: 4.1 - 5.1.0
External linkshttp://github.com/dbry/WavPack/issues/33
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Buffer overflow
EUVDB-ID: #VU12363
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-10540
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error within ParseWave64HeaderConfig function in wave64.c when processing WAV files. A remote unauthenticated attacker can create a specially crafted WAV file, trick the victim into opening it and trigger integer overflow in bytes_to_copy calculation and subsequent malloc call
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall patch from vendor's website:
https://github.com/dbry/WavPack/commit/6f8bb34c2993a48ab9afbe353e6d0cff7c8d821d
WavPack: 4.1 - 5.1.0
External linkshttp://github.com/dbry/WavPack/issues/33
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Heap-based buffer overwrite
EUVDB-ID: #VU12398
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-10536
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to cause DoS condition or execute arbitrary code on the target system.
The weakness exists in the WAV parser component due to improper rejection of multiple format chunks by the ParseRiffHeaderConfig function, as defined in the riff.c source code file. A local attacker can execute a specially crafted .wav file, trigger heap buffer overwrite and cause the service to crash or execute arbitrary code.
Successful exploitation of the vulnerability may result in system compromise.
Install update from vendor's website.
Vulnerable software versionsWavPack: 4.50.0 - 5.1.0
External linkshttp://github.com/dbry/WavPack/issues/30
http://github.com/dbry/WavPack/issues/31
http://github.com/dbry/WavPack/issues/32
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
5) Heap-based buffer overwrite
EUVDB-ID: #VU12399
Risk: Medium
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-10537
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to cause DoS condition or execute arbitrary code on the target system.
The weakness exists in the W64 parser component due to improper rejection of multiple format chunks by the ParseWave64HeaderConfig function, as defined in the wave64.c source code file. A local attacker can execute a specially crafted .wav file, trigger heap buffer overwrite and cause the service to crash or execute arbitrary code.
Successful exploitation of the vulnerability may result in system compromise.
Install update from vendor's website.
Vulnerable software versionsWavPack: 4.50.0 - 5.1.0
External linkshttp://github.com/dbry/WavPack/issues/30
http://github.com/dbry/WavPack/issues/31
http://github.com/dbry/WavPack/issues/32
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
