Multiple vulnerabilities in Accusoft ImageGear



Published: 2019-12-03
Risk High
Patch available YES
Number of vulnerabilities 4
CVE-ID CVE-2019-5076
CVE-2019-5133
CVE-2019-5132
CVE-2019-5083
CWE-ID CWE-787
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Public exploit code for vulnerability #2 is available.
Public exploit code for vulnerability #3 is available.
Public exploit code for vulnerability #4 is available.
Vulnerable software
Subscribe
ImageGear
Web applications / Modules and components for CMS

Vendor Accusoft Corporation

Security Bulletin

This security bulletin contains information about 4 vulnerabilities.

1) Out-of-bounds write

EUVDB-ID: #VU23343

Risk: High

CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2019-5076

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted input in the "igcore19d.dll" PNG header-parser. A remote attacker can send a specially crafted PNG IHDR Width field file, trick a victim to open it, trigger out-of-bounds write and execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

ImageGear: 19.3.0

CPE2.3 External links

http://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0865


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) Out-of-bounds write

EUVDB-ID: #VU23346

Risk: High

CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2019-5133

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted input in the "igcore19d.dll" BMP parser. A remote attacker can create a specially crafted BMP file, trick the victim into opening it using the affected software, trigger out-of-bounds write and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

ImageGear: 19.3.0

CPE2.3 External links

http://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0922


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

3) Out-of-bounds write

EUVDB-ID: #VU23345

Risk: High

CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2019-5132

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted input in the "igcore19d.dll" GEM Raster parser. A remote attacker can create a specially crafted GEM file, trick the victim into opening it using the affected software, trigger out-of-bounds write and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

ImageGear: 19.3.0

CPE2.3 External links

http://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0921


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

4) Out-of-bounds write

EUVDB-ID: #VU23344

Risk: High

CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2019-5083

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted input in the igcore19d.dll "TIFdecodethunderscan" function. A remote attacker can send a specially crafted TIFF file, trick a victim to open it, trigger out-of-bounds write and execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

ImageGear: 19.3.0

CPE2.3 External links

http://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0875


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.



###SIDEBAR###