#VU13453 Out-of-bounds read in file - CVE-2018-10360

Cybersecurity Help s.r.o.

Published: 2018-06-23 | Updated: 2018-06-25

Vulnerability identifier: #VU13453

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-10360

CWE-ID: CWE-125

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
file
Universal components / Libraries / Libraries used by multiple products

Vendor: Ian F. Darwin

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists in the do_core_note function in readelf.c in libmagic.a due to an error when processing malicious input. A remote attacker can send a specially crafted crafted ELF file, trigger out-of-bounds read and cause the service to crash.

Mitigation
Install update from vendor's website.

Vulnerable software versions

file: 5.33

External links
https://github.com/file/file/commit/a642587a9c9e2dd7feacdf513c3643ce26ad3c22

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Dell EMC Data Computing Appliance (DCA)

Red Hat Enterprise Linux 7 update for file

OpenSUSE Linux update for file

Amazon Linux AMI update for file

OpenSUSE Linux update for file

Arch Linux update for file

Slackware Linux update for file