Product

HylaFAX

Summary

Malformed fax sender remote code execution in JPEG support

Nature of Advisory

Remote code execution

Susceptibility

Class 1/1.0 and Class 2/2.0/2.1 analog fax modems and boards

Severity

Major

Exploits Known

No

Reported On

Aug 24, 2018

Reported By

Luis, Markus, and Eric of X41 D-SEC GmbH

Posted On

Sept 18, 2018

Last Updated On

Sept 18, 2018

Advisory Contact

patrice.fournier AT ifax DOT com

CVE Name

CVE-2018-17141

Description

A malicious sender that sets both JPEG and MH,MR,MMR or JBIG in the same DCS signal or sends a large JPEG page could lead to remote code execution.

Resolution

Fix uninitialized pointer write and also an out-of-bounds write in FaxModem::writeECMData()).

Affected Versions

Product

Release Series

HylaFAX Community Edition

4.x

4.2.2 and later

HylaFAX Community Edition

6.x

All releases

HylaFAX Enterprise Edition

2.x

2.1.2 and later using analog fax modems

HylaFAX Enterprise Edition

3.x

All releases using analog modems

HylaFAX Enterprise Edition

4.x

All releases using analog modems

HylaFAX Enterprise Edition

5.x

All releases using analog modems

HylaFAX Enterprise Edition

6.x

All releases using analog modems

Corrected In

Product

Release

HylaFAX Community Edition

6.0.7

HylaFAX Enterprise Edition

6.1.14

HylaFAX Enterprise Edition

6.2.14

Patches

GIT URL

Revision

http://git.hylafax.org/HylaFAX?a=commitdiff_plain;h=82fa7bdbffc253de4d3e80a87d47fdbf68eabe36;hp=5b95b384dd1b44b9d2c5c15cc10e50def7c1555d

HylaFAX 6

Links

http://bugs.hylafax.org/show_bug.cgi?id=974

This document may be superseded by later versions; if so, the latest version will be posted at ftp://ftp.hylafax.org/security/CVE-2018-17141.html

Revision History

Date

Editor

Revisions Made

Sept 18, 2018

Patrice Fournier

Initial revision