NewStart CGSL MAIN 6.02 : exiv2 Multiple Vulnerabilities (NS-SA-2022-0090)

high Nessus Plugin ID 167490

Synopsis

The remote NewStart CGSL host is affected by multiple vulnerabilities.

Description

The remote NewStart CGSL host, running version MAIN 6.02, has exiv2 packages installed that are affected by multiple vulnerabilities:

- Exiv2 0.27.2 allows attackers to trigger a crash in Exiv2::getULong in types.cpp when called from Exiv2::Internal::CiffDirectory::readDirectory in crwimage_int.cpp, because there is no validation of the relationship of the total size to the offset and size. (CVE-2019-17402)

- A flaw was found in Exiv2 in versions before and including 0.27.4-RC1. Improper input validation of the rawData.size property in Jp2Image::readMetadata() in jp2image.cpp can lead to a heap-based buffer overflow via a crafted JPG image containing malicious EXIF data. (CVE-2021-3482)

- Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. A heap buffer overflow was found in Exiv2 versions v0.27.3 and earlier. The heap overflow is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to gain code execution, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when _writing_ the metadata, which is a less frequently used Exiv2 operation than _reading_ the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as `insert`. The bug is fixed in version v0.27.4. (CVE-2021-29457)

- Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was found in Exiv2 versions v0.27.3 and earlier. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as insert. The bug is fixed in version v0.27.4. (CVE-2021-29458, CVE-2021-29470)

- Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was found in Exiv2 versions v0.27.3 and earlier. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as `insert`. The bug is fixed in version v0.27.4. (CVE-2021-29463)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the vulnerable CGSL exiv2 packages. Note that updated packages may not be available yet. Please contact ZTE for more information.

See Also

http://security.gd-linux.com/notice/NS-SA-2022-0090

http://security.gd-linux.com/info/CVE-2019-17402

http://security.gd-linux.com/info/CVE-2021-29457

http://security.gd-linux.com/info/CVE-2021-29458

http://security.gd-linux.com/info/CVE-2021-29463

http://security.gd-linux.com/info/CVE-2021-29464

http://security.gd-linux.com/info/CVE-2021-29470

http://security.gd-linux.com/info/CVE-2021-29473

http://security.gd-linux.com/info/CVE-2021-29623

http://security.gd-linux.com/info/CVE-2021-31291

http://security.gd-linux.com/info/CVE-2021-31292

http://security.gd-linux.com/info/CVE-2021-32617

http://security.gd-linux.com/info/CVE-2021-3482

http://security.gd-linux.com/info/CVE-2021-37618

http://security.gd-linux.com/info/CVE-2021-37619

Plugin Details

Severity: High

ID: 167490

File Name: newstart_cgsl_NS-SA-2022-0090_exiv2.nasl

Version: 1.6

Type: local

Published: 11/15/2022

Updated: 11/9/2023

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2021-29464

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:zte:cgsl_main:exiv2-libs, cpe:/o:zte:cgsl_main:6

Required KB Items: Host/local_checks_enabled, Host/ZTE-CGSL/release, Host/ZTE-CGSL/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/9/2022

Vulnerability Publication Date: 10/9/2019

Reference Information

CVE: CVE-2019-17402, CVE-2021-29457, CVE-2021-29458, CVE-2021-29463, CVE-2021-29464, CVE-2021-29470, CVE-2021-29473, CVE-2021-29623, CVE-2021-31291, CVE-2021-31292, CVE-2021-32617, CVE-2021-3482, CVE-2021-37618, CVE-2021-37619