A flaw was found in tiffcrop, a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c, resulting in a denial of service and limited information disclosure. This issue affects libtiff versions 4.x.

According to the versions of the libtiff package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

    A flaw was found in tiffcrop, a program distributed by the libtiff package. A specially crafted tiff file     can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c, resulting in a     denial of service and limited information disclosure. This issue affects libtiff versions     4.x.(CVE-2023-1916)

Tenable has extracted the preceding description block directly from the EulerOS libtiff security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the libtiff package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

    A heap-buffer-overflow vulnerability was found in LibTIFF, in extractImageSection() at     tools/tiffcrop.c:7916 and tools/tiffcrop.c:7801. This flaw allows attackers to cause a denial of service     via a crafted tiff file.(CVE-2023-3164)

    A flaw was found in tiffcrop, a program distributed by the libtiff package. A specially crafted tiff file     can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c, resulting in a     denial of service and limited information disclosure. This issue affects libtiff versions     4.x.(CVE-2023-1916)

Tenable has extracted the preceding description block directly from the EulerOS libtiff security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - libtiff: Heap-based buffer overflow in TIFF2PDF tool (CVE-2020-35524)

  - libtiff: heap-buffer overflow via extractContigSamplesBytes() at /libtiff/tools/tiffcrop.c     (CVE-2023-25434)

  - tools/pal2rgb.c in pal2rgb in LibTIFF 4.0.9 allows remote attackers to cause a denial of service     (TIFFSetupStrips heap-based buffer overflow and application crash) or possibly have unspecified other     impact via a crafted TIFF file. (CVE-2017-17095)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The remote Redhat Enterprise Linux 9 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - libtiff: heap-based buffer overflow in _TIFFmemcpy() in tif_unix.c (CVE-2022-1056)

  - libtiff: out-of-bounds read in extractImageSection() in tools/tiffcrop.c (CVE-2023-1916)

  - libtiff 4.5.0 is vulnerable to Buffer Overflow via extractContigSamplesShifted8bits() at     /libtiff/tools/tiffcrop.c:3753. (CVE-2023-25435)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

This plugin has been deprecated as it does not adhere to established standards for this style of check.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:4869-1 advisory.

  - LibTIFF master branch has an out-of-bounds read in LZWDecode in libtiff/tif_lzw.c:619, allowing attackers     to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix     is available with commit b4e79bfa. (CVE-2022-1622)

  - An issue was discovered in function TIFFReadDirectory libtiff before 4.4.0 allows attackers to cause a     denial of service via crafted TIFF file. (CVE-2022-40090)

  - A flaw was found in tiffcrop, a program distributed by the libtiff package. A specially crafted tiff file     can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c, resulting in a     denial of service and limited information disclosure. This issue affects libtiff versions 4.x.
    (CVE-2023-1916)

  - loadImage() in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based use after free via a crafted     TIFF image. (CVE-2023-26965)

  - A NULL pointer dereference flaw was found in Libtiff's LZWDecode() function in the libtiff/tif_lzw.c file.
    This flaw allows a local attacker to craft specific input data that can cause the program to dereference a     NULL pointer when decompressing a TIFF format file, resulting in a program crash or denial of service.
    (CVE-2023-2731)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:4736-1 advisory.

  - LibTIFF master branch has an out-of-bounds read in LZWDecode in libtiff/tif_lzw.c:619, allowing attackers     to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix     is available with commit b4e79bfa. (CVE-2022-1622)

  - An issue was discovered in function TIFFReadDirectory libtiff before 4.4.0 allows attackers to cause a     denial of service via crafted TIFF file. (CVE-2022-40090)

  - A flaw was found in tiffcrop, a program distributed by the libtiff package. A specially crafted tiff file     can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c, resulting in a     denial of service and limited information disclosure. This issue affects libtiff versions 4.x.
    (CVE-2023-1916)

  - loadImage() in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based use after free via a crafted     TIFF image. (CVE-2023-26965)

  - A NULL pointer dereference flaw was found in Libtiff's LZWDecode() function in the libtiff/tif_lzw.c file.
    This flaw allows a local attacker to craft specific input data that can cause the program to dereference a     NULL pointer when decompressing a TIFF format file, resulting in a program crash or denial of service.
    (CVE-2023-2731)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 ESM / 18.04 ESM / 20.04 LTS / 22.04 LTS / 23.04 host has packages installed that are affected by a vulnerability as referenced in the USN-6428-1 advisory.

    It was discovered that LibTIFF could be made to read out of bounds when processing certain malformed image     files with the tiffcrop utility. If a user were tricked into opening a specially crafted image file, an     attacker could possibly use this issue to cause tiffcrop to crash, resulting in a denial of service.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote host is running a version of macOS / Mac OS X that is 12.x prior to 12.6.8. It is, therefore, affected by multiple vulnerabilities:

  - A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in     macOS Big Sur 11.7.9, iOS 15.7.8 and iPadOS 15.7.8, macOS Monterey 12.6.8. An app may be able to read     sensitive location information. (CVE-2023-40442)

  - The issue was addressed with improved memory handling. This issue is fixed in watchOS 9.6, macOS Monterey     12.6.8, iOS 15.7.8 and iPadOS 15.7.8, macOS Big Sur 11.7.9, iOS 16.6 and iPadOS 16.6, macOS Ventura 13.5.
    An app may be able to execute arbitrary code with kernel privileges. (CVE-2023-34425)

  - A logic issue was addressed with improved restrictions. This issue is fixed in macOS Ventura 13.5. A     sandboxed process may be able to circumvent sandbox restrictions. (CVE-2023-32364)

  - This issue was addressed with improved data protection. This issue is fixed in macOS Monterey 12.6.8,     macOS Ventura 13.5, macOS Big Sur 11.7.9. An app may be able to modify protected parts of the file system.
    (CVE-2023-35983)

  - A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in     macOS Ventura 13.5. An app may be able to read sensitive location information. (CVE-2023-40392)

  - OpenPrinting CUPS is a standards-based, open source printing system for Linux and other Unix-like     operating systems. Starting in version 2.0.0 and prior to version 2.4.6, CUPS logs data of free memory to     the logging service AFTER the connection has been closed, when it should have logged the data right     before. This is a use-after-free bug that impacts the entire cupsd process. The exact cause of this issue     is the function `httpClose(con->http)` being called in `scheduler/client.c`. The problem is that httpClose     always, provided its argument is not null, frees the pointer at the end of the call, only for     cupsdLogClient to pass the pointer to httpGetHostname. This issue happens in function `cupsdAcceptClient`     if LogLevel is warn or higher and in two scenarios: there is a double-lookup for the IP Address     (HostNameLookups Double is set in `cupsd.conf`) which fails to resolve, or if CUPS is compiled with TCP     wrappers and the connection is refused by rules from `/etc/hosts.allow` and `/etc/hosts.deny`. Version     2.4.6 has a patch for this issue. (CVE-2023-34241)

  - A use after free vulnerability exists in curl <v8.1.0 in the way libcurl offers a feature to verify an SSH     server's public key using a SHA 256 hash. When this check fails, libcurl would free the memory for the     fingerprint before it returns an error message containing the (now freed) hash. This flaw risks inserting     sensitive heap-based data into the error message that might be shown to users or otherwise get leaked and     revealed. (CVE-2023-28319)

  - A denial of service vulnerability exists in curl <v8.1.0 in the way libcurl provides several different     backends for resolving host names, selected at build time. If it is built to use the synchronous resolver,     it allows name resolves to time-out slow operations using `alarm()` and `siglongjmp()`. When doing this,     libcurl used a global buffer that was not mutex protected and a multi-threaded application might therefore     crash or otherwise misbehave. (CVE-2023-28320)

  - An improper certificate validation vulnerability exists in curl <v8.1.0 in the way it supports matching of     wildcard patterns when listed as Subject Alternative Name in TLS server certificates. curl can be built     to use its own name matching function for TLS rather than one provided by a TLS library. This private     wildcard matching function would match IDN (International Domain Name) hosts incorrectly and could as a     result accept patterns that otherwise should mismatch. IDN hostnames are converted to puny code before     used for certificate checks. Puny coded names always start with `xn--` and should not be allowed to     pattern match, but the wildcard check in curl could still check for `x*`, which would match even though     the IDN name most likely contained nothing even resembling an `x`. (CVE-2023-28321)

  - An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might     erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the     `CURLOPT_POSTFIELDS` option has been set, if the same handle previously wasused to issue a `PUT` request     which used that callback. This flaw may surprise the application and cause it to misbehave and either send     off the wrong data or use memory after free or similar in the second transfer. The problem exists in the     logic for a reused handle when it is (expected to be) changed from a PUT to a POST. (CVE-2023-28322)

  - A logic issue was addressed with improved restrictions. This issue is fixed in macOS Monterey 12.6.8, iOS     15.7.8 and iPadOS 15.7.8, iOS 16.6 and iPadOS 16.6, macOS Ventura 13.5, watchOS 9.6. An app may be able to     read sensitive location information. (CVE-2023-32416)

  - The issue was addressed with improved handling of caches. This issue is fixed in tvOS 16.3, iOS 16.3 and     iPadOS 16.3, macOS Monterey 12.6.8, macOS Big Sur 11.7.9, iOS 15.7.8 and iPadOS 15.7.8, macOS Ventura     13.2, watchOS 9.3. Processing a font file may lead to arbitrary code execution. Apple is aware of a report     that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1.
    (CVE-2023-41990)

  - The issue was addressed with improved checks. This issue is fixed in macOS Monterey 12.6.8, macOS Ventura     13.5, macOS Big Sur 11.7.9. Processing a file may lead to unexpected app termination or arbitrary code     execution. (CVE-2023-32418, CVE-2023-36854)

  - The issue was addressed with improved checks. This issue is fixed in iOS 16.6 and iPadOS 16.6, macOS     Ventura 13.5. A remote user may be able to cause a denial-of-service. (CVE-2023-38603)

  - A buffer overflow issue was addressed with improved memory handling. This issue is fixed in watchOS 9.6,     macOS Big Sur 11.7.9, iOS 15.7.8 and iPadOS 15.7.8, macOS Monterey 12.6.8, tvOS 16.6, iOS 16.6 and iPadOS     16.6, macOS Ventura 13.5. A remote user may be able to cause unexpected system termination or corrupt     kernel memory. (CVE-2023-38590)

  - A use-after-free issue was addressed with improved memory management. This issue is fixed in watchOS 9.6,     macOS Big Sur 11.7.9, iOS 15.7.8 and iPadOS 15.7.8, macOS Monterey 12.6.8, tvOS 16.6, iOS 16.6 and iPadOS     16.6, macOS Ventura 13.5. An app may be able to execute arbitrary code with kernel privileges.
    (CVE-2023-38598)

  - An integer overflow was addressed with improved input validation. This issue is fixed in watchOS 9.6,     macOS Monterey 12.6.8, iOS 15.7.8 and iPadOS 15.7.8, tvOS 16.6, iOS 16.6 and iPadOS 16.6, macOS Ventura     13.5. An app may be able to execute arbitrary code with kernel privileges. (CVE-2023-36495)

  - An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in iOS 15.7.8 and     iPadOS 15.7.8, macOS Big Sur 11.7.9, macOS Monterey 12.6.8, macOS Ventura 13.5. An app may be able to     execute arbitrary code with kernel privileges. (CVE-2023-37285)

  - An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in watchOS     9.6, macOS Big Sur 11.7.9, iOS 15.7.8 and iPadOS 15.7.8, macOS Monterey 12.6.8, tvOS 16.6, iOS 16.6 and     iPadOS 16.6, macOS Ventura 13.5. An app may be able to execute arbitrary code with kernel privileges.
    (CVE-2023-38604)

  - A use-after-free issue was addressed with improved memory management. This issue is fixed in macOS     Monterey 12.6.8, iOS 16.6 and iPadOS 16.6, tvOS 16.6, macOS Big Sur 11.7.9, macOS Ventura 13.5, watchOS     9.6. An app may be able to execute arbitrary code with kernel privileges. (CVE-2023-32381)

  - A use-after-free issue was addressed with improved memory management. This issue is fixed in macOS     Monterey 12.6.8, iOS 15.7.8 and iPadOS 15.7.8, iOS 16.6 and iPadOS 16.6, tvOS 16.6, macOS Big Sur 11.7.9,     macOS Ventura 13.5, watchOS 9.6. An app may be able to execute arbitrary code with kernel privileges.
    (CVE-2023-32433, CVE-2023-35993)

  - This issue was addressed with improved state management. This issue is fixed in macOS Monterey 12.6.8, iOS     15.7.8 and iPadOS 15.7.8, iOS 16.6 and iPadOS 16.6, tvOS 16.6, macOS Big Sur 11.7.9, macOS Ventura 13.5,     watchOS 9.6. An app may be able to modify sensitive kernel state. Apple is aware of a report that this     issue may have been actively exploited against versions of iOS released before iOS 15.7.1.
    (CVE-2023-38606)

  - The issue was addressed with improved memory handling. This issue is fixed in macOS Monterey 12.6.8, iOS     15.7.8 and iPadOS 15.7.8, iOS 16.6 and iPadOS 16.6, tvOS 16.6, macOS Big Sur 11.7.9, macOS Ventura 13.5,     watchOS 9.6. An app may be able to execute arbitrary code with kernel privileges. (CVE-2023-32441)

  - A path handling issue was addressed with improved validation. This issue is fixed in macOS Monterey     12.6.8, iOS 16.6 and iPadOS 16.6, macOS Big Sur 11.7.9, macOS Ventura 13.5, watchOS 9.6. An app may be     able to gain root privileges. (CVE-2023-38565)

  - A logic issue was addressed with improved checks. This issue is fixed in macOS Monterey 12.6.8, iOS 16.6     and iPadOS 16.6, macOS Big Sur 11.7.9, macOS Ventura 13.5, watchOS 9.6. An app may be able to cause a     denial-of-service. (CVE-2023-38593)

  - This issue was addressed with improved state management of S/MIME encrypted emails. This issue is fixed in     macOS Monterey 12.6.8. A S/MIME encrypted email may be inadvertently sent unencrypted. (CVE-2023-40440)

  - This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Big Sur     11.7.9, macOS Monterey 12.6.8, macOS Ventura 13.5. An app may be able to bypass Privacy preferences.
    (CVE-2023-38571)

  - The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.5, macOS Monterey     12.6.8. Processing a 3D model may result in disclosure of process memory. (CVE-2023-38258, CVE-2023-38421)

  - A flaw was found in tiffcrop, a program distributed by the libtiff package. A specially crafted tiff file     can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c, resulting in a     denial of service and limited information disclosure. This issue affects libtiff versions 4.x.
    (CVE-2023-1916)

  - ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-     relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo     or reached via the TERMINFO or TERM environment variable. (CVE-2023-29491)

  - This issue was addressed by removing the vulnerable code. This issue is fixed in macOS Big Sur 11.7.9,     macOS Monterey 12.6.8, macOS Ventura 13.5. An app may be able to modify protected parts of the file     system. (CVE-2023-38601)

  - A logic issue was addressed with improved validation. This issue is fixed in macOS Big Sur 11.7.9, macOS     Monterey 12.6.8, macOS Ventura 13.5. A sandboxed process may be able to circumvent sandbox restrictions.
    (CVE-2023-32444)

  - A vulnerability was found in openldap. This security flaw causes a null pointer dereference in     ber_memalloc_x() function. (CVE-2023-2953)

  - The issue was addressed with additional restrictions on the observability of app states. This issue is     fixed in macOS Big Sur 11.7.9, macOS Monterey 12.6.8, macOS Ventura 13.5. An app may be able to access SSH     passphrases. (CVE-2023-42829)

  - A logic issue was addressed with improved restrictions. This issue is fixed in macOS Monterey 12.6.8,     macOS Ventura 13.5, macOS Big Sur 11.7.9. An app may be able to access user-sensitive data.
    (CVE-2023-38259)

  - A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Monterey     12.6.8, macOS Ventura 13.5, macOS Big Sur 11.7.9. An app may be able to modify protected parts of the file     system. (CVE-2023-38602)

  - This issue was addressed by removing the vulnerable code. This issue is fixed in macOS Big Sur 11.7.9, iOS     15.7.8 and iPadOS 15.7.8, macOS Monterey 12.6.8, macOS Ventura 13.5. An app may be able to fingerprint the     user. (CVE-2023-42831)

  - An access issue was addressed with improved access restrictions. This issue is fixed in macOS Ventura     13.5, macOS Monterey 12.6.8. A shortcut may be able to modify sensitive Shortcuts app settings.
    (CVE-2023-32442)

  - An out-of-bounds read was addressed with improved input validation. This issue is fixed in macOS Monterey     12.6.8, macOS Ventura 13.5, macOS Big Sur 11.7.9. Processing a file may lead to a denial-of-service or     potentially disclose memory contents. (CVE-2023-32443)

  - A race condition was addressed with improved state handling. This issue is fixed in macOS Big Sur 11.7.9,     macOS Monterey 12.6.8, macOS Ventura 13.5. An app may be able to gain root privileges. (CVE-2023-42832)

  - This issue was addressed by adding additional SQLite logging restrictions. This issue is fixed in iOS 16.5     and iPadOS 16.5, tvOS 16.5, macOS Ventura 13.4. An app may be able to bypass Privacy preferences.
    (CVE-2023-32422)

  - The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.5. An app may be     able to bypass Privacy preferences. (CVE-2023-32429)

  - The SMB protocol decoder in tcpdump version 4.99.3 can perform an out-of-bounds write when decoding a     crafted network packet. (CVE-2023-1801)

  - Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 9.0.1499. (CVE-2023-2426)

  - NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.1531. (CVE-2023-2609)

  - Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1532. (CVE-2023-2610)

  - This issue was addressed with improved redaction of sensitive information. This issue is fixed in macOS     Ventura 13.5. An app may be able to determine a user's current location. (CVE-2023-38605)

Note that Nessus has not tested for these issues but has instead relied only on the operating system's self-reported version number.

ID	Name	Product	Family	Severity
207181	EulerOS 2.0 SP9 : libtiff (EulerOS-SA-2024-2373)	Nessus	Huawei Local Security Checks	medium
207162	EulerOS 2.0 SP10 : libtiff (EulerOS-SA-2024-2423)	Nessus	Huawei Local Security Checks	medium
207130	EulerOS 2.0 SP9 : libtiff (EulerOS-SA-2024-2398)	Nessus	Huawei Local Security Checks	medium
207118	EulerOS 2.0 SP10 : libtiff (EulerOS-SA-2024-2446)	Nessus	Huawei Local Security Checks	medium
206934	EulerOS 2.0 SP12 : libtiff (EulerOS-SA-2024-2353)	Nessus	Huawei Local Security Checks	medium
198563	RHEL 8 : libtiff (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	high
198484	RHEL 9 : libtiff (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	medium
196585	RHEL 6 : libtiff (Unpatched Vulnerability) (deprecated)	Nessus	Red Hat Local Security Checks	critical
196532	RHEL 7 : libtiff (Unpatched Vulnerability) (deprecated)	Nessus	Red Hat Local Security Checks	critical
186935	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : tiff (SUSE-SU-2023:4869-1)	Nessus	SuSE Local Security Checks	medium
186810	SUSE SLES12 Security Update : tiff (SUSE-SU-2023:4736-1)	Nessus	SuSE Local Security Checks	medium
182891	Ubuntu 16.04 ESM / 18.04 ESM / 20.04 LTS / 22.04 LTS / 23.04 : LibTIFF vulnerability (USN-6428-1)	Nessus	Ubuntu Local Security Checks	medium
178753	macOS 13.x < 13.5 Multiple Vulnerabilities (HT213843)	Nessus	MacOS X Local Security Checks	critical
178752	macOS 12.x < 12.6.8 Multiple Vulnerabilities (HT213844)	Nessus	MacOS X Local Security Checks	critical

Detections

Analytics

CVE-2023-1916

medium

Tenable Plugins

medium

medium

medium

medium

medium

high

medium

critical

critical

medium

medium

medium

critical

critical