#VU12403 Improper input validation in libmad - CVE-2017-8372

Cybersecurity Help s.r.o.

Published: 2018-05-08

Vulnerability identifier: #VU12403

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-8372

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
libmad
Universal components / Libraries / Libraries used by multiple products

Vendor: Underbit Technologies

Description
The vulnerability allows a remote attackert o casue DoS condition on the target system.

The weakness exists in the mad_layer_III function in layer3.c due to assertion failure if NDEBUG is omitted. A remote attacker can submit a specially crafted audio file, trick the victim into opening it and cause the service to crash.

Mitigation
Install update from vendor's website.

Vulnerable software versions

libmad: 0.15.1b

External links
https://blogs.gentoo.org/ago/2017/04/30/libmad-assertion-failure-in-layer3-c/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

SUSE update for libmad

Improper input validation in libmad (Alpine package)

Debian update for libmad