Piotr Bania, Cory Duplantis and Martin Zeiser of Cisco Talos discovered this vulnerability.
Today, Cisco Talos is disclosing a vulnerability that we identified in the MKVToolNix mkvinfo utility that parses the Matroska file format video files (.mkv files).
MKVToolNix is a set of tools to create, alter and inspect Matroska files on Linux, Windows and other operating systems.
Matroska is a file format for storing common multimedia content, like movies or TV shows, with implementations consisting of mostly of open-source software. Matroska file extensions are MKV for video, MK3D for stereoscopic video, MKA for audio-only files and MKS for subtitle-only files.
MKV files are multimedia container formats. An MKV container can incorporate audio, video, and subtitles into a single file — even if those elements use different types of encoding. For example, you could have an MKV file that contains H.264 video and an MP3 or AAC file for audio.
TALOS-2018-0694 (CVE-2018-4022) is a use-after-free vulnerability that exists in the MKVToolNix mkvinfo tool and its handling of the MKV (Matroska video) file format. An attacker may be able to create a malicious MKV file that would trigger the vulnerability and allow the attacker to execute code in the context of the current user.
While reading a new element, the mkvinfo parser attempts to validate the current element by checking if it has a particular valid value. If there is no such value, the parser deletes the element since the read was invalid.
However, even if the element is deleted, the value is passed back to the calling function via a variable, but there is no validation, even if this element is valid and was not freed before.
It is possible to forge a file in a way that the vulnerable function frees an element so that another delete operation triggers a use-after-free vulnerability.
The vulnerability is confirmed in the 64-bit version 25.0.0 of the mkvinfo tool, but it may also be present in earlier versions. Users are advised to update their MKVToolNix toolset to version 28.2.0 or later.
The following SNORTⓇ Rules detect attempts to exploit these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For all current rule information, please refer to your Firepower Management Center or Snort.org.