Hackers Target Malicious Image Files on LEADTOOLS Users


Note* “Earlier this week a patch was issued and the issue is fixed!.” Read complete article to know what happen early.

In the LEADTOOLS imaging toolkits, Cisco Talos security researchers have discovered multiple faults that could result in code execution on the victim device.

Developed by LEAD Technologies Inc., LEADTOOLS represents a series of toolkits for implementation in applications targeted to desktop, server and mobile devices in file, clinical, multimedia and image technologies. Various operating systems are provided by a SDK and various libraries.

According to researchers from Talos, multiple vulnerabilities discovered in LEADTOOLS may allow a malicious actor to establish denial-of-service (DoS) conditions.

The first flaw is a heap out – of-bound write vulnerability in the LEADTOOLS 20 TIF parsing feature. Followed as CVE-2019-5084, a specially designed TIF image can use the vulnerability to trigger a offset beyond the limits of a heap allocation.

The LEADTOOLS 20 CMP-parsing function, Talos says, has an integer underflow security defect. The problem can be monitored as CVE-2019-5099 using a specially designed CMP image file.

Cisco’s researchers also found out that the LEADTOOLS 20 header parsing feature is affected by an integer overflow bug (tracked as CVE-2019-5100) and that there’s a vulnerability to heap overflow in JPEG2000-parsing (CVE-2019-5125).

Compared to the first two bugs, an attacker attempting to cause such faults requires specially created image files from BMP and J2K.

These four vulnerabilities are strongly gravitational and have a CVSS rating of 8.8.

Such vulnerabilities were found by Talos security researchers in LEADTOOLS 20.0.2019.3.15 early in September and disclosed to the vendor on September 10. Earlier this week a patch was issued.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.