Think you have a false positive on this rule?

Sid 1-39615

Message

FILE-IMAGE Multiple products TIFF tile size buffer overflow attempt

Summary

Vulnerabilities in multiple products' TIFF image parsers allow for potential remote code execution via a crafted .tiff or .tif file.

Impact

Potential user access to a victim's machine.

CVE-2016-4631:

CVSS base score 8.8

CVSS impact score 5.9

CVSS exploitability score 2.8

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

CVE-2017-2870:

CVSS base score 7.8

CVSS impact score 5.9

CVSS exploitability score 1.8

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Detailed information

Rule checks for an attempt to exploit a buffer overflow vulnerability via a crafted .tiff or .tif file. CVE-2016-4631: ImageIO in Apple iOS before 9.3.3, OS X before 10.11.6, tvOS before 9.2.2, and watchOS before 2.2.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted TIFF file.

CVE-2017-2870: An exploitable integer overflow vulnerability exists in the tiffimageparse functionality of Gdk-Pixbuf 2.36.6 when compiled with Clang. A specially crafted tiff file can cause a heap-overflow resulting in remote code execution. An attacker can send a file or a URL to trigger this vulnerability.

Affected systems

  • apple apple_tv 9.2.1
  • apple iphone_os 9.3.2
  • apple macosx 10.11.5
  • apple watchos 2.2.1
  • gnome gdk-pixbuf 2.36.6

Ease of attack

Hard

False positives

None known

False negatives

None known

Corrective action

Contributors

  • Talos research team.

Additional References

  • www.talosintelligence.com/reports/TALOS-2016-0171
  • www.talosintelligence.com/reports/TALOS-2016-0205
  • www.talosintelligence.com/reports/TALOS-2017-0377