Null pointer dereference in libmspack (Alpine package)

1) Null pointer dereference

EUVDB-ID: #VU15908

Risk: Low

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-18585

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to  the chmd_read_headers function, as defined in the mspack/chmd.c source code file of the affected software, accepts filenames that have embedded NULL bytes. A remote attacker can trick the victim into accessing a Compiled HTML (CHM) file that submits malicious input to the targeted system, trigger NULL pointer dereference and cause the service to crash.

Mitigation

Install update from vendor's website.

Vulnerable software versions

libmspack (Alpine package): 0.7.1_alpha-r0 - 0.8_alpha-r0-r0

External links

http://git.alpinelinux.org/aports/commit/?id=7b7625a81b8571398c20ac7e40ff345e3dfe118c
http://git.alpinelinux.org/aports/commit/?id=a80261c4dde42201d0c53b6f7297c02b2b441827
http://git.alpinelinux.org/aports/commit/?id=d1f9356cc16b987133023ad09713a9df00127e16
http://git.alpinelinux.org/aports/commit/?id=47362d38b04fa0174cb5db3d5ad497bb08657843
http://git.alpinelinux.org/aports/commit/?id=3a49d88a9384e72b92ad518a7f8cf56dfe1c4513
http://git.alpinelinux.org/aports/commit/?id=6f862b5f45d6e18068d8e26af441f403f4444e6e
http://git.alpinelinux.org/aports/commit/?id=c9b4a96edd80dfc0ae4bd6d76202612f6bbd42d7
http://git.alpinelinux.org/aports/commit/?id=e59fb2371eb8b367558761b562b73e8b1935e498

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.