Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Hackers Can Target LEADTOOLS Users With Malicious Image Files

Cisco Talos security researchers have discovered multiple vulnerabilities in the LEADTOOLS imaging toolkits that could lead to code execution on the victim system.

Cisco Talos security researchers have discovered multiple vulnerabilities in the LEADTOOLS imaging toolkits that could lead to code execution on the victim system.

Developed by LEAD Technologies Inc., LEADTOOLS represents a collection of toolkits for integrating document, medical, multimedia and imaging technologies into applications tailored for desktop, server, and mobile devices. An SDK and various libraries provide support for multiple operating systems.

According to Talos researchers, multiple vulnerabilities discovered in LEADTOOLS could allow a malicious actor to cause denial-of-service (DoS) conditions and even execute code remotely on an affected system.

The first of these bugs is a heap out-of-bounds write vulnerability in the TIF-parsing functionality of LEADTOOLS 20. Tracked as CVE-2019-5084, the vulnerability can be exploited with the help of a specially crafted TIF image to cause an offset beyond the bounds of a heap allocation to be written.

The CMP-parsing functionality of LEADTOOLS 20, Talos reports, is impacted by an integer underflow security flaw. Tracked as CVE-2019-5099, the issue can be exploited using a specially crafted CMP image file.

Cisco’s researchers also discovered that the BMP header parsing functionality of LEADTOOLS 20 is impacted by an integer overflow bug (tracked as CVE-2019-5100), and that the JPEG2000-parsing functionality of LEADTOOLS 20 has an exploitable heap overflow vulnerability (CVE-2019-5125).

The same as with the first two bugs, an attacker looking to trigger these weaknesses would need specially crafted BMP and J2K image files.

All four vulnerabilities are rated High severity and have a CVSS score of 8.8.

Advertisement. Scroll to continue reading.

Talos’ security researchers found these bugs in LEADTOOLS 20.0.2019.3.15 in early September and reported them to the vendor on September 10. A patch was released earlier this week.

Related: Hackers Can Target Able2Extract Users With Malicious Image Files

Related: Cisco Finds 11 Vulnerabilities in Schneider Electric Modicon Controllers

Related: AMD Radeon Driver Flaw Leads to VM Escape

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.