Today, Talos is disclosing several vulnerabilities that have been identified in CorelDRAW X8. CorelDRAW X8 is graphics suite used for manipulating raster and vector images and is a common alternative to Adobe Creative Cloud. Several of the vulnerabilities being disclosed today specifically affect PHOTO-PAINT X8, a raster graphics editor. Talos has responsibly disclosed this vulnerability to Corel. Corel has made a software update that addresses this vulnerability available for download.

Vulnerability Details

TALOS-2016-0244 (CVE-2016-8730) - Corel PHOTO-PAINT X8 GIF Filter Code Execution Vulnerability This vulnerability was identified by Piotr Bania of Cisco Talos.

TALOS-2016-0244 manifests as a out-of-bounds write memory corruption vulnerability in the GIF parsing functionality of Corel PHOTO-PAINT X8. A user who opens specifically crafted GIF file can trigger this vulnerability, resulting in arbitrary code execution of the attacker's choice. Scenarios where this might occur would be email-based attack scenarios, where the victim opens up a malicious GIF file in Corel PHOTO-PAINT, or scenarios where a user downloads a malicious GIF file from a site using user-generated content.

TALOS-2016-0261 CVE-2016-9043 CorelDRAW X8 EMF Parser Code Execution Vulnerability This vulnerability was identified by Piotr Bania of Cisco Talos.

TALOS-2016-0261 manifests as a out-of-bounds write memory corruption vulnerability in the EMF parsing functionality of Corel X8. A user who opens specifically crafted EMF file can trigger this vulnerability, resulting in arbitrary code execution of the attacker's choice. Scenarios where this might occur would be email-based attack scenarios, where the victim opens up a malicious EMF file in in a CorelDRAW X8 application, or scenarios where a user downloads a malicious EMF file from a site using user-generated content.

TALOS-2017-0297 (CVE-2017-2803) - Corel PHOTO-PAINT X8 64-bit TIFF Filter Code Execution Vulnerability This vulnerability was identified by members of the Cisco Talos Vulnerability Research Team.

TALOS-2017-0297affects a part of the application contained in the DLL ietif.flt, responsible for parsing files in the TIFF file format. While parsing the TIFF IFD entries, a specially crafted TIFF file can cause an underflow resulting in a large value being passed as the `size` to a `memset` function and corruption of the process memory. The vulnerability is confirmed to affect Corel TIFF Import/Export Filter (64-Bit) - 18.1.0.661 library included with the 64 bit version of Corel PHOTO-PAINT X8.

TALOS-2017-0298 (CVE-2017-2804) - Corel PHOTO-PAINT X8 TIFF Filter Code Execution Vulnerability This vulnerability was identified by members of the Cisco Talos Vulnerability Research Team.

TALOS-2017-0298 is a remote, out of bound write vulnerability that exists in the TIFF parsing functionality of Corel PHOTO-PAINT X8 18.1.0.661. A specially crafted TIFF file may exploit the vulnerability resulting in potential memory corruption. An attacker may send the victim a specific TIFF file to trigger this vulnerability. The vulnerability is confirmed to affect Corel TIFF Import/Export Filter - 18.1.0.661 library included with the both 32 bit and 64 bit versions of Corel PHOTO-PAINT X8.

For the full technical details of these vulnerabilities, please refer to the vulnerability advisories that are posted on our website:

http://www.talosintelligence.com/vulnerability-reports/

Discussion Familiar file formats that are routinely shared in work environments make tempting targets for attackers as the targets may not think of familiar image attachment type as being potentially malicious. The TIFF file format is regularly used in the graphic design industry and for the distribution of certain documents such as fax messages. Other formats, such as GIFs and EMFs, are common image formats that most do not expect to be inherently malicious as they are images or contain metadata.

The complexity of file formats such as TIFF means that there is a lot of scope for vulnerabilities to be inadvertently included in programs that parse the format. In recent months, Talos discovered other vulnerabilities related to the TIFF format such as vulnerabilities in the LibTIFF library, ImageMagick, and in Apple iOS. Organisations need to remain aware of vulnerabilities in the software packages that they use and update to the latest version.

Coverage The following Snort Rules detect attempts to exploit these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For all current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules:

To review our Vulnerability Disclosure Policy, please visit this site:
http://www.cisco.com/c/en/us/about/security-center/vendor-vulnerability-policy.html