Discovered by Marcin 'Icewall' Noga of Cisco Talos.
Talos are today releasing a new vulnerability discovered within the Lexmark Perceptive Document Filters library. TALOS-2017-0302 allows for information disclosure using specifically crafted files.
The vulnerability is present in the Lexmark Document filter parsing engine which is used across a wide range of services such as eDiscovery, DLP, big data, content management and others. The library is commonly used across these services to allow for the deep inspection of a multitude of file formats to offer conversion capabilities such as from Microsoft document formats into other formats. Lexmark make this library available to compete against other third party and open source libraries used for such activities.
Document conversion represents an important aspect of many businesses as they attempt to move from an unstructured data solution to a more workable structured data solution in order to improve business efficiency.
TALOS-2017-0302 Information Disclosure Vulnerability(CVE-2017-2806)
The vulnerability exists in the processing of the IHlink records of Office Art objects embedded in XLS files. The absence of a value sanitization check for variable length fields in a file allows an attacker to create a specially crafted XLS file which causes an arbitrary memory read.
Full details are available here.
Known vulnerable versions
Lexmark Perceptive Document Filters 22.214.171.1248 and 126.96.36.1990.
For successful exploitation of this vulnerability to steal information, an attacker must be able to execute further code on the system, possibly through the exploitation of additional vulnerabilities. However, because the vulnerable library is used by a number of third party products, organisations may be unaware that they are exposed to this vulnerability. As with any patch, an organisation should ensure that patches for any document processing software which may include the Lexmark library are applied as soon as possible.
Lexmark has release "Perceptive Document Filters 188.8.131.520" to address this issue.
The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.
Snort Rules: 42137 - 42138