CVE-2009-0947 – Multiple integer overflow vulnerabilities in th... (How to Fix)

Q: What is the severity of CVE-2009-0947?

CVE-2009-0947 has a CVSS score of 9.8 (CRITICAL). Multiple integer overflow vulnerabilities in the file command's CDF parsing functions allow memory corruption when processing malicious files. This affects systems using vulnerable versions of the file utility to process untrusted files, potentially leading to arbitrary code execution.

📋 TL;DR

Multiple integer overflow vulnerabilities in the file command's CDF parsing functions allow memory corruption when processing malicious files. This affects systems using vulnerable versions of the file utility to process untrusted files, potentially leading to arbitrary code execution.

💻 Affected Systems

Products:

file

Versions: Versions before 5.02

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability triggers when processing malicious Compound Document Format (CDF) files, commonly used in Microsoft Office documents.

📦 What is this software?

Files by Apple

View all CVEs affecting Files →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the user running the file command, potentially leading to full system compromise.

🟠

Likely Case

Application crash (denial of service) when processing malicious files, with potential for code execution in specific configurations.

🟢

If Mitigated

Limited impact if file command runs with minimal privileges and doesn't process untrusted input.

🌐 Internet-Facing: MEDIUM - Exploitable if web applications use file command on user-uploaded files without proper sandboxing.

🏢 Internal Only: MEDIUM - Risk exists wherever file command processes untrusted files, such as email attachments or shared documents.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction to process malicious files. Proof-of-concept code exists in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.02 and later

Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=498682

Restart Required: No

Instructions:

1. Update file package using system package manager. 2. For Red Hat/CentOS: yum update file. 3. For Debian/Ubuntu: apt-get update && apt-get install file. 4. Verify version with 'file --version'.

🔧 Temporary Workarounds

Restrict file command usage

linux

Limit file command execution to trusted users and processes

chmod 750 /usr/bin/file
setfacl -m u:trusteduser:rx /usr/bin/file

Sandbox file processing

linux

Run file command in restricted environments when processing untrusted files

firejail --net=none --private /usr/bin/file malicious.doc

🧯 If You Can't Patch

Disable file command processing of CDF files through configuration if possible
Implement strict input validation and sandboxing for any application using file command on untrusted input

🔍 How to Verify

Check if Vulnerable:

Run 'file --version' and check if version is below 5.02

Check Version:

file --version | head -1

Verify Fix Applied:

Run 'file --version' and confirm version is 5.02 or higher

📡 Detection & Monitoring

Log Indicators:

Segmentation fault or crash logs from file command
Unexpected process termination of file utility

Network Indicators:

Unusual file uploads followed by file command execution
Multiple failed file analysis attempts

SIEM Query:

process.name="file" AND (event.action="segmentation_fault" OR exit_code="139")

📊 Metadata

CVE ID: CVE-2009-0947

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-190

Published: June 2, 2021

Last Updated: November 21, 2024

🔗 References

https://bugzilla.redhat.com/show_bug.cgi?id=498682 Issue Tracking,Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=498682 Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2009-0947, you might also want to check these: