Critical vulnerabilities addressed in the Accusoft ImageGear library could be exploited by remote attackers to execute code on a victim machine, Cisco Talos’ security researchers report.
A document-imaging developer toolkit, ImageGear was designed to provide users with the ability to convert, create, and edit images, among others. Vulnerable functions present in the library, however, expose users’ machines to code execution.
Cisco Talos’ researchers have discovered a total of seven vulnerabilities in version 19.5.0 of the Accusoft ImageGear library, all of which are described as out-of-bounds write issues.
All seven of these vulnerabilities were identified in the igcore19d.dll library of Accusoft ImageGear, and all are remotely exploitable via specially crafted files.
With a CVSS score of 9.8, all of these vulnerabilities are considered critical severity.
Tracked as CVE-2019-5187, the first of the flaws was found in the TIF_read_stripdata function of ImageGear’s igcore19d.dll library and it can be triggered via a specially crafted TIFF file.
Two other bugs were found in the uncompress_scan_line function of the library. The vulnerabilities, which are tracked as CVE-2020-6063 and CVE-2020-6064, can be abused via specially crafted PCX files.
The vulnerability in the bmp_parsing function of the DLL is tracked as CVE-2020-6065 and can be triggered using a specially crafted BMP file.
Another flaw is tracked as CVE-2020-6067 and was found in the igcore19d.dll TIFF tifread parser. It can be triggered using a specially crafted TIFF file.
The remaining two bugs, CVE-2020-6066 and CVE-2020-6069, impact the igcore19d.dll JPEG SOFx and iJPEG jpegread precision parsers of ImageGear. Both can be triggered via specially crafted JPEG files.
An attacker looking to exploit these vulnerabilities needs to trick the targeted user into opening a malicious file with an affected version of the software.
The vendor was informed of the discovered bugs in late January and has already released a patched version of ImageGear.
Related: Code Execution Vulnerabilities Patched in Accusoft ImageGear
Related: Multiple Vulnerabilities Found in AMD ATI Radeon Graphics Cards
Related: Remote Code Execution Flaw Impacts E2fsprogs Filesystem Utility