Null pointer dereference in libmspack

#VU15908 Null pointer dereference in libmspack

Published: 2018-11-14 | Updated: 2018-11-15

Vulnerability identifier: #VU15908

Vulnerability risk: Low

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-18585

CWE-ID: CWE-476

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
libmspack
Universal components / Libraries / Libraries used by multiple products

Vendor: Stuart Caie

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to the chmd_read_headers function, as defined in the mspack/chmd.c source code file of the affected software, accepts filenames that have embedded NULL bytes. A remote attacker can trick the victim into accessing a Compiled HTML (CHM) file that submits malicious input to the targeted system, trigger NULL pointer dereference and cause the service to crash.

Mitigation
Update to version 0.8alpha.

Vulnerable software versions

libmspack: 0.3 - 0.7

External links
http://github.com/kyz/libmspack/commit/8759da8db6ec9e866cb8eb143313f397f925bb4f

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Red Hat update for libmspack

Gentoo update for cabextract, libmspack

Null pointer dereference in libmspack (Alpine package)

Denial of service in libmspack