Vulnerability Spotlight: Specially crafted files could lead to denial of service, information disclosure in OpenImageIO parser

Vulnerability Spotlight: Specially crafted files could lead to denial of service, information disclosure in OpenImageIO parser

Lilith >_> of Cisco Talos discovered these vulnerabilities.

Cisco Talos recently discovered three vulnerabilities in the OpenImageIO image-parsing library that many popular pieces of 3-D rendering software use.

OpenImageIO is a library that converts, compares and processes various image files. Blender and AliceVision, two often used computer imaging services, utilize the library, among other software offerings.

Two of the vulnerabilities — TALOS-2023-1707 (CVE-2023-24473) and TALOS-2023-1708 (CVE-2023-22845) — could lead to the disclosure of sensitive information. An adversary could exploit these vulnerabilities by sending the target a specially crafted, malicious Targa (.tga) file.

TALOS-2023-1709 (CVE-2023-24472) is a denial-of-service vulnerability that is a continuation of TALOS-2022-1653 (CVE-2022-43594 and CVE-2022-43595). Talos first discovered CVE-2022-43595 in December, though it was not fixed in the most recent version of OpenImageIO.

Cisco Talos worked with OpenImageIO to ensure that these issues are resolved and an update is available for affected users, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: OpenImageIO Project, version 2.4.7.1. Talos tested and confirmed this version of the library could be exploited by this vulnerability.

The following Snort rule will detect exploitation attempts against this vulnerability: 61271, 61272, 61384 and 61385. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.

Article Link: Vulnerability Spotlight: Specially crafted files could lead to denial of service, information disclosure in OpenImageIO parser