Vulnerability CVE-2017-13726

Vulnerability Name:

CVE-2017-13726 (CCN-131170)

Assigned:

2017-08-21

Published:

2017-08-21

Updated:

2019-10-03

Summary:

There is a reachable assertion abort in the function TIFFWriteDirectorySec() in LibTIFF 4.0.8, related to tif_dirwrite.c and a SubIFD tag. A crafted input will lead to a remote denial of service attack.

CVSS v3 Severity:

6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

5.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
4.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

4.6 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:N/I:N/A:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

Vulnerability Type:

CWE-617

Vulnerability Consequences:

Denial of Service

References:

Source: CCN
Type: Bugzilla Bug 2727
There is a reachable assertion abort in function TIFFWriteDirectorySec() of libtiff. A crafted input will lead to remote denial of attack

Source: MISC
Type: Issue Tracking, Third Party Advisory
http://bugzilla.maptools.org/show_bug.cgi?id=2727

Source: MITRE
Type: CNA
CVE-2017-13726

Source: BID
Type: UNKNOWN
100524

Source: CCN
Type: BID-100524
LibTIFF 'tif_dirwrite.c' Multiple Denial of Service Vulnerabilities

Source: XF
Type: UNKNOWN
libtiff-cve201713726-dos(131170)

Source: UBUNTU
Type: UNKNOWN
USN-3602-1

Source: DEBIAN
Type: UNKNOWN
DSA-4100

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2017-13726

Vulnerable Configuration:

Configuration 1:

cpe:/a:libtiff:libtiff:4.0.8:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:libtiff:libtiff:4.0.8:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:43646	P	Security update for systemd-presets-common-SUSE (Moderate) (in QA)	2022-07-13
oval:org.opensuse.security:def:201713726	V	CVE-2017-13726	2022-05-22
oval:org.opensuse.security:def:59559	P	Security update for qemu (Important)	2021-11-09
oval:org.opensuse.security:def:59537	P	Security update for openssl-1_1 (Low)	2021-09-09
oval:org.opensuse.security:def:59536	P	Security update for openssl-1_0_0 (Low)	2021-09-09
oval:org.opensuse.security:def:61077	P	Security update for caribou (Important)	2021-06-10
oval:org.opensuse.security:def:12223	P	libltdl7-2.4.2-16.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:21836	P	Security update for the Linux Kernel (Important)	2021-06-08
oval:org.opensuse.security:def:12523	P	libXt6-1.1.4-3.59 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12338	P	radvd-1.9.7-2.17 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12447	P	freerdp-2.0.0~git.1463131968.4e66df7-12.3.2 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:61208	P	libXfont-devel-1.5.4-1.17 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:60279	P	Security update for libX11 (Important)	2021-06-08
oval:org.opensuse.security:def:12514	P	libXfixes3-32bit-5.0.1-7.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12291	P	libxml2-2-2.9.4-45.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12372	P	wpa_supplicant-2.2-14.2 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12215	P	libjavascriptcoregtk-4_0-18-2.12.5-1.12 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:61238	P	libidn2-0-2.0.4-1.23 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12245	P	libpcsclite1-1.8.10-6.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12536	P	libcdio14-0.90-6.3.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12353	P	sudo-1.8.20p2-1.3 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12472	P	gstreamer-0_10-plugins-good-0.10.31-16.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:61158	P	expat-2.2.5-1.140 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:45207	P	Security update for postgresql10 (Moderate)	2021-05-27
oval:org.opensuse.security:def:55180	P	Security update for samba (Important)	2021-04-29
oval:org.opensuse.security:def:59719	P	Security update for MozillaFirefox (Important)	2021-04-27
oval:org.opensuse.security:def:44377	P	Security update for MozillaFirefox (Important)	2021-04-01
oval:org.opensuse.security:def:54787	P	Security update for MozillaFirefox (Important)	2021-03-31
oval:org.opensuse.security:def:61115	P	Security update for evolution-data-server (Moderate)	2021-03-19
oval:org.opensuse.security:def:60472	P	Security update for the Linux Kernel (Important)	2021-03-09
oval:org.opensuse.security:def:21844	P	Security update for the Linux Kernel (Moderate)	2021-01-12
oval:org.opensuse.security:def:13196	P	tftp-5.2-11.6.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:17374	P	libwpd-0_10-10-0.10.2-2.7.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:13174	P	sane-backends-1.0.24-3.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:17366	P	libserf-1-1-1.3.7-3.3.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:17408	P	Security update for spamassassin (Important)	2020-12-01
oval:org.opensuse.security:def:23058	P	Security update for wireshark (Moderate)	2020-12-01
oval:org.opensuse.security:def:22147	P	Security update for libzypp, zypper (Important)	2020-12-01
oval:org.opensuse.security:def:17850	P	Security update for sudo (Moderate)	2020-12-01
oval:org.opensuse.security:def:17581	P	Security update for xorg-x11-server (Moderate)	2020-12-01
oval:org.opensuse.security:def:60991	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:17759	P	Recommended update for libksba (Moderate)	2020-12-01
oval:org.opensuse.security:def:43542	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:53657	P	Security update for samba (Moderate)	2020-12-01
oval:org.opensuse.security:def:44512	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:43926	P	Security update for the Linux Kernel (Live Patch 29 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:55061	P	audiofile on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:54057	P	libqt4-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:60893	P	Security update for java-1_8_0-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:45255	P	Security update for tiff (Moderate)	2020-12-01
oval:org.opensuse.security:def:21891	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:44307	P	Security update to ucode-intel (Important)	2020-12-01
oval:org.opensuse.security:def:56456	P	Security update for emacs (Important)	2020-12-01
oval:org.opensuse.security:def:54502	P	java-1_8_0-openjdk on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:22420	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:53656	P	Security update for tomcat (Important)	2020-12-01
oval:org.opensuse.security:def:22094	P	Security update for libpng16 (Moderate)	2020-12-01
oval:org.opensuse.security:def:17828	P	Security update for dbus-1 (Moderate)	2020-12-01
oval:org.opensuse.security:def:17550	P	Security update for libksba (Moderate)	2020-12-01
oval:org.opensuse.security:def:22311	P	Security update for libvirt (Moderate)	2020-12-01
oval:org.opensuse.security:def:18514	P	Security update for tiff (Moderate)	2020-12-01
oval:org.opensuse.security:def:17727	P	Security update for subversion (Moderate)	2020-12-01
oval:org.opensuse.security:def:43531	P	Security update for sane-backends (Moderate)	2020-12-01
oval:org.opensuse.security:def:60158	P	Security update for libproxy (Important)	2020-12-01
oval:org.opensuse.security:def:44483	P	Security update for java-1_7_1-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:43811	P	Security update for cups (Important)	2020-12-01
oval:org.opensuse.security:def:54987	P	pigz on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:53819	P	Security update for bluez (Moderate)	2020-12-01
oval:org.opensuse.security:def:60773	P	Security update for perl-DBI (Important)	2020-12-01
oval:org.opensuse.security:def:44118	P	Security update for the Linux Kernel (Live Patch 29 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:43530	P	Security update for java-1_7_1-ibm (Moderate)	2020-12-01
oval:org.opensuse.security:def:54336	P	mipv6d on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:22390	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:22054	P	Security update for gcc10 (Moderate)	2020-12-01
oval:org.opensuse.security:def:17816	P	Security update for postgresql94 (Important)	2020-12-01
oval:org.opensuse.security:def:17493	P	Security update for kernel-firmware (Important)	2020-12-01
oval:org.opensuse.security:def:54895	P	libndp0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:23087	P	Security update for tiff (Moderate)	2020-12-01
oval:org.opensuse.security:def:22272	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:18488	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:17617	P	Security update for tiff (Moderate)	2020-12-01
oval:org.opensuse.security:def:59973	P	Security update for the Linux Kernel (Live Patch 31 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:44432	P	Security update for ibus (Important)	2020-12-01
oval:org.opensuse.security:def:53679	P	Security update for avahi (Moderate)	2020-12-01
oval:org.opensuse.security:def:44569	P	Security update for libX11 (Moderate)	2020-12-01
oval:org.opensuse.security:def:44001	P	Security update for the Linux Kernel (Live Patch 31 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:55099	P	emacs on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:54230	P	krb5-appl-clients on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:22378	P	Security update for mailman (Important)	2020-12-01
oval:org.opensuse.security:def:21990	P	Security update for the Linux Kernel (Live Patch 30 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:56530	P	Security update for tiff (Moderate)	2020-12-01
oval:org.opensuse.security:def:84883	P	Security update for tiff (Moderate)	2018-06-27
oval:org.opensuse.security:def:79164	P	Security update for tiff (Moderate)	2018-06-27
oval:com.ubuntu.artful:def:201713726000	V	CVE-2017-13726 on Ubuntu 17.10 (artful) - low.	2017-08-29
oval:com.ubuntu.xenial:def:2017137260000000	V	CVE-2017-13726 on Ubuntu 16.04 LTS (xenial) - low.	2017-08-29
oval:com.ubuntu.trusty:def:201713726000	V	CVE-2017-13726 on Ubuntu 14.04 LTS (trusty) - low.	2017-08-29
oval:com.ubuntu.xenial:def:201713726000	V	CVE-2017-13726 on Ubuntu 16.04 LTS (xenial) - low.	2017-08-29

BACK