Vulnerability Spotlight: Two vulnerabilities in Accusoft ImageGear could lead to DoS, arbitrary free

Emmanuel Tacheau of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered two new vulnerabilities in Accusoft ImageGear. 

The ImageGear library is a document-imaging developer toolkit that allows users to create, edit, annotate and convert various images. It supports more than 100 file formats such as DICOM, PDF and Microsoft Office. 

One vulnerability, TALOS-2022-1465 (CVE-2022-23400) could allow an attacker to cause a denial-of-service condition inside the application by overflowing the stack buffer. In a very specific scenario, this buffer overflow could also lead to a memory leak of one byte.

Another, TALOS-2022-1449 (CVE-2022-22137), could allow an adversary to corrupt memory on the application and cause an arbitrary use-after-free condition. 

In adherence to Cisco’s vulnerability disclosure policy, Accusoft patched these issues and released an update for ImageGear. Additionally, the company also fixed several other vulnerabilities Talos disclosed in February that previously did not have a patch. 

Talos tested and confirmed Accusoft ImageGear, version 19.10, is affected by the vulnerabilities disclosed in this post. 

The following SNORTⓇ rules will detect exploitation attempts against this vulnerability: 58947, 58948, 59030 and 59031. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please

Read More: http://blog.talosintelligence.com/2022/05/vuln-spotlight-accusoft-.html