cbcvebase.
CVE-2018-18557
published 2018-10-22

CVE-2018-18557: LibTIFF 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0beta7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5, 4.0.6…

PriorityP263high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
14.96%
96.3th percentile
LibTIFF 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0beta7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5, 4.0.6, 4.0.7, 4.0.8 and 4.0.9 (with JBIG enabled) decodes arbitrarily-sized JBIG into a buffer, ignoring the buffer size, which leads to a tif_jbig.c JBIGDecode out-of-bounds write.

Affected

8 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
debiantiff< tiff 4.0.9+git181026-1 (bookworm)tiff 4.0.9+git181026-1 (bookworm)
libtifflibtiff

Detection & IOCsextracted from sources · hover to see the quote

pathtif_jbig.c
otherCOMPRESSION tag value 0x8765 (JBIG)
bytes
49 49 2A 00 CA 03 00 00
  • ROWS_PER_STRIP is set to 0xFFFFFFFF (invalid/max) in the crafted PoC TIFF, which is a distinguishing artefact of exploit files for this CVE.
  • The exploit primitive allows an attacker to: (1) allocate a heap buffer of chosen size, and (2) overwrite beyond it with attacker-controlled JBIG-decoded data — classic heap overflow primitive.
  • ·Red Hat Enterprise Linux 5, 6, and 8 ship versions of libtiff that are not affected; only RHEL 7 is confirmed affected.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.