#VU34975 Out-of-bounds write in LEADTOOLS - CVE-2019-5092

Cybersecurity Help s.r.o.

Published: 2019-12-12 | Updated: 2020-08-08

Vulnerability identifier: #VU34975

Vulnerability risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-5092

CWE-ID: CWE-787

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
LEADTOOLS
Universal components / Libraries / Software for developers

Vendor: LEAD Technologies, Inc.

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

An exploitable heap out of bounds write vulnerability exists in the UI tag parsing functionality of the DICOM image format of LEADTOOLS 20.0.2019.3.15. A specially crafted DICOM image can cause an offset beyond the bounds of a heap allocation to be written, potentially resulting in code execution. An attacker can specially craft a DICOM image to trigger this vulnerability.

Mitigation
Install update from vendor's website.

Vulnerable software versions

LEADTOOLS: 20.0.2019.3.15

External links
https://talosintelligence.com/vulnerability_reports/TALOS-2019-0884

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in LEADTOOLS