NEWS
X41 D-Sec GmbH Security Advisory: X41-2017-004
Multiple Vulnerabilities in tnef
Overview
Confirmed Affected Versions: 1.4.12 and earlier
Confirmed Patched Versions: 1.4.13
Vendor: verdammelt
Vendor URL: https://github.com/verdammelt/tnef/
Vector: File
Credit: X41 D-Sec GmbH, Eric Sesterhenn
Status: Public
Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2017-004-tnef/
Summary and Impact
Multiple Integer Overflows, Type Confusions and Out of Band Reads and Writes have been discovered in tnef 1.4.12 and earlier. These could be exploited by tricking a user into opening a malicious winmail.dat file.
Product Description
From the Readme.md:
TNEF is a program for unpacking MIME attachments of type “application/ms-tnef”. This is a Microsoft only attachment. Due to the proliferation of Microsoft Outlook and Exchange mail servers, more and more mail is encapsulated into this format. The TNEF program allows one to unpack the attachments which were encapsulated into the TNEF attachment. Thus alleviating the need to use Microsoft Outlook to view the attachment. TNEF is mainly tested and used on GNU/Linux and CYGWIN systems. It ‘should’ work on other UNIX and UNIX-like systems.
Integer Overflows in Memory Allocator
Severity Rating: High
Vector: Local
CVE: CVE-2017-6307
CVSS Score: 7.0
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary and Impact
Several Integer Overflows, which can lead to Heap Overflows have been identified in the functions, which wrap memory allocation.
Workarounds
None, X41 D-Sec GmbH recommends to update to the latest version.
Type Confusion in src/tnef.c:parse_file()
Severity Rating: High
Vector: Local
CVE: CVE-2017-6308
CVSS Score: 7.0
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary and Impact
Two type confusions have been identified in the parse_file() function. These might lead to invalid read and write operations, controlled by an attacker.
Workarounds
None, X41 D-Sec GmbH recommends to update to the latest version.
OOB Writes in src/mapi_attr.c:mapi_attr_read()
Severity Rating: High
Vector: Local
CVE: CVE-2017-6309
CVSS Score: High
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary and Impact
Two OOB Writes have been identified in src/mapi_attr.c:mapi_attr_read(). These might lead to invalid read and write operations, controlled by an attacker.
Workarounds
None, X41 D-Sec GmbH recommends to update to the latest version.
Type Confusion in src/file.c:file_add_mapi_attrs()
Severity Rating: High
Vector: Local
CVE: CVE-2017-6310
CVSS Score: 7.0
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary and Impact
Four type confusions have been identified in the file_add_mapi_attrs() function. These might lead to invalid read and write operations, controlled by an attacker.
Workarounds
None, X41 D-Sec GmbH recommends to update to the latest version.
About X41 D-Sec GmbH
X41 D-Sec is a provider of application security services. We focus on application code reviews, design review and security testing. X41 D-Sec GmbH was founded in 2015 by Markus Vervier. We support customers in various industries such as finance, software development and public institutions.
Timeline
-
2017-02-17 Issue found
-
2017-02-19 Vendor contacted
-
2017-02-20 CVE IDs requested
-
2017-02-21 Vendor Reply
-
2017-02-23 Vendor releases patched version
-
2017-02-23 Advisory released
-
2017-02-24 CVE ID assigned