CVE-2023-52355: Libtiff Out-of-Memory Flaw Exploited by Crafted TIFF Files

A newly discovered vulnerability dubbed CVE-2023-52355 exposes an out-of-memory flaw found in the popular image processing library, libtiff. This issue can be exploited by merely passing a specially crafted TIFF file to the TIFFRasterScanlineSize64() API. Remote attackers can use this flaw to cause denial-of-service (DoS) attacks with crafted input sizes smaller than 379 KB.

Details

Libtiff, the widely-used software library for reading and writing TIFF (Tagged Image File Format) files, is essential in many applications that handle images. Recently, researchers have identified a critical out-of-memory flaw in the library, assigned the CVE identifier CVE-2023-52355.

The vulnerability resides in the TIFFRasterScanlineSize64() API function, which processes input TIFF files' raster scanlines. Instead of memory allocation errors being properly handled, the API can be tricked into a state of memory exhaustion by receiving crafted TIFF files from attackers. The out-of-memory flaw is explicitly triggered when the input size is smaller than 379 KB, allowing crafty remote attackers to exploit this vulnerability and provoke DoS attacks.

The exploit can be illustrated by the following code snippet

#include "tiffio.h"

int main(int argc, char* argv[]) {
  TIFF* tif;
  uint64_t size;

  if (argc != 2) {
    fprintf(stderr, "Usage: %s <input.tiff>\n", argv[]);
    exit(EXIT_FAILURE);
  }

  tif = TIFFOpen(argv[1], "r");
  if (!tif) {
    fprintf(stderr, "Cannot open %s\n", argv[1]);
    exit(EXIT_FAILURE);
  }

  size = TIFFRasterScanlineSize64(tif);
  if (size == ) {
    fprintf(stderr, "Invalid input TIFF file\n");
    TIFFClose(tif);
    exit(EXIT_FAILURE);
  }

  printf("Scanline size: %llu\n", size);

  TIFFClose(tif);
  return ;
}

The code above demonstrates a simplified version of how the exploitable API function behaves. The function TIFFRasterScanlineSize64(tif) calculates the scanline size based on the input TIFF file; however, this can be manipulated with crafted TIFFs to exhaust the memory.

Original references and more technical details can be found in the following security advisories

- Link to CVE reference
- Link to libtiff security advisory (not available yet)
- Link to the researcher's report

How to mitigate this vulnerability

The maintainers of libtiff have been contacted regarding the vulnerability and are working on a fix. Although no official patch has been released, users are advised to apply the following temporary workaround:
- Update the TIFFRasterScanlineSize64() API function to perform sanity checks for inputs and handle memory allocation errors correctly.

Use an alternative image processing library that is not susceptible to this vulnerability.

Stay tuned for updates on CVE-2023-52355 as more details become available. This post will be updated with new information, mitigation techniques, and patch releases. Keep an eye on your applications and ensure your systems using libtiff are prepared to handle potential DoS attacks related to this vulnerability.

Timeline

Published on: 01/25/2024 20:15:38 UTC
Last modified on: 02/04/2024 20:15:45 UTC