Cisco Talos recently discovered nineteen vulnerabilities in OpenImageIO, an image processing library, which could lead to sensitive information disclosure, denial of service and heap buffer overflows which could further lead to code execution.

OpenImageIO is an image processing library useful for conversion and processing, as well as image comparison. This library is utilized by 3D-processing software from AliceVision (including Meshroom) and is also used by Blender for reading Photoshop .psd files.

Vulnerabilities were found in the way OpenImageIO processed .tif, .psd, .dds and other files and metadata types.

Several of the vulnerabilities are rated CVSS 9.8, high priority arbitrary code execution risks.

• TALOS-2022-1626 (CVE-2022-41794)
• TALOS-2022-1630 (CVE-2022-38143)
• TALOS-2022-1634 (CVE-2022-41838)
• TALOS-2022-1636 (CVE-2022-41837)
• TALOS-2022-1633 (CVE-2022-41639)
• TALOS-2022-1628 (CVE-2022-41981)

TALOS-2022-1655 (CVE-2022-43597-CVE-2022-43598) concerns multiple memory corruption vulnerabilities. A specially crafted ImageOutput Object can lead to arbitrary code execution.  Multiple code execution vulnerabilities also exist, outlined in TALOS-2022-1656 (CVE-2022-43599-CVE-2022-43602). An attacker can provide malicious input to trigger these vulnerabilities.

Several vulnerabilities can cause denial of service. An attacker can provide malicious input or files to trigger these vulnerabilities.

• TALOS-2022-1632 (CVE-2022-41684)
• TALOS-2022-1635 (CVE-2022-41999)
• TALOS-2022-1652 (CVE-2022-43593)
• TALOS-2022-1653 (CVE-2022-43594-CVE-2022-43595)
• TALOS-2022-1657 (CVE-2022-43603)

Talos also discovered these five lower-scoring CVE sensitive information disclosure vulnerability advisories:

• TALOS-2022-1627 (CVE-2022-41977)
• TALOS-2022-1629 (CVE-2022-36354)
• TALOS-2022-1631 (CVE-2022-41649)
• TALOS-2022-1643 (CVE-2022-41988)
• TALOS-2022-1651 (CVE-2022-43592)
• TALOS-2022-1654 (CVE-2022-43596)

Cisco Talos worked with OpenImageIO to ensure that these issues are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: Project OpenImageIO master-branch-9aeece7a, v2.3.19.0 and v2.4.4.2. Talos tested and confirmed these versions of OpenImageIO could be exploited by these vulnerabilities.

The following Snort rules will detect exploitation attempts against this vulnerability: 60735-60736, 60766-60767, 60733-60734, 60713-60720, 60730-60731, 60796-60799. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.