SB2019060529 - Multiple vulnerabilities in 010 Editor

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2019-12553)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

In SweetScape 010 Editor 9.0.1, improper validation of arguments in the internal implementation of the StrCat function (provided by the scripting engine) allows an attacker to overwrite arbitrary memory, which could lead to code execution.

2) Input validation error (CVE-ID: CVE-2019-12554)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

In SweetScape 010 Editor 9.0.1, improper validation of arguments in the internal implementation of the WSubStr function (provided by the scripting engine) allows an attacker to cause a denial of service by crashing the application.

3) Input validation error (CVE-ID: CVE-2019-12555)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

In SweetScape 010 Editor 9.0.1, improper validation of arguments in the internal implementation of the SubStr function (provided by the scripting engine) allows an attacker to cause a denial of service by crashing the application.

Remediation

Install update from vendor's website.

References

• https://github.com/ereisr00/bagofbugz/blob/master/010Editor/strcat_heap_overflow.bt
• https://www.sweetscape.com/010editor/release_notes.html
• https://github.com/ereisr00/bagofbugz/blob/master/010Editor/WSubStr.bt
• https://github.com/ereisr00/bagofbugz/blob/master/010Editor/SubStr.bt