CVE-2017-5332

Q: What is the severity of CVE-2017-5332?

CVE-2017-5332 has a CVSS score of 7.8 (HIGH). CVE-2017-5332 is a memory corruption vulnerability in icoutils' wrestool component that allows local users to crash processes and potentially execute arbitrary code via crafted executables. This affects systems running icoutils before version 0.31.1, primarily Linux distributions that include this icon/cursor extraction utility. The vulnerability requires local access to trigger.

7.8 HIGH

Denial of Service

📋 TL;DR

CVE-2017-5332 is a memory corruption vulnerability in icoutils' wrestool component that allows local users to crash processes and potentially execute arbitrary code via crafted executables. This affects systems running icoutils before version 0.31.1, primarily Linux distributions that include this icon/cursor extraction utility. The vulnerability requires local access to trigger.

💻 Affected Systems

Products:

icoutils

Versions: All versions before 0.31.1

Operating Systems: Linux distributions including Debian, Red Hat, openSUSE, and derivatives

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems where icoutils is installed and used to process executable files with icon/cursor resources.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation leading to full system compromise through arbitrary code execution with the privileges of the icoutils process.

🟠

Likely Case

Denial of service through application crashes when processing malicious icon/cursor resources.

🟢

If Mitigated

Limited impact if icoutils is not installed or if SELinux/AppArmor restricts process capabilities.

🌐 Internet-Facing: LOW - Requires local access to execute malicious files; not directly exploitable over network.

🏢 Internal Only: MEDIUM - Local users could exploit this for privilege escalation or DoS attacks on affected systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local user access and ability to run icoutils on crafted files. Memory corruption vulnerabilities in parsing utilities often lead to reliable exploits.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.31.1

Vendor Advisory: http://www.nongnu.org/icoutils/

Restart Required: No

Instructions:

1. Update icoutils package using your distribution's package manager. 2. For Debian/Ubuntu: sudo apt update && sudo apt install icoutils. 3. For RHEL/CentOS: sudo yum update icoutils. 4. For openSUSE: sudo zypper update icoutils.

🔧 Temporary Workarounds

Remove icoutils package

linux

Uninstall icoutils if not required for system functionality

sudo apt remove icoutils
sudo yum remove icoutils
sudo zypper remove icoutils

Restrict icoutils execution

linux

Use SELinux/AppArmor to restrict icoutils capabilities and file access

# Configure SELinux: semanage permissive -d icoutils_t
# Or create AppArmor profile restricting icoutils

🧯 If You Can't Patch

Remove execute permissions from icoutils binary for non-privileged users
Implement strict file upload controls to prevent malicious executables from reaching systems

🔍 How to Verify

Check if Vulnerable:

Check icoutils version: wrestool --version | grep -q '0.3[0-9]\|0\.2\|0\.1\|0\.0' && echo 'VULNERABLE'

Check Version:

wrestool --version 2>/dev/null || icoutils --version 2>/dev/null || dpkg -l icoutils 2>/dev/null || rpm -q icoutils 2>/dev/null

Verify Fix Applied:

Verify version is 0.31.1 or later: wrestool --version | grep -q '0\.31\.[1-9]\|0\.3[2-9]\|0\.[4-9]\|[1-9]' && echo 'PATCHED'

📡 Detection & Monitoring

Log Indicators:

Segmentation fault crashes in icoutils/wrestool processes
Abnormal process termination with memory access errors

Network Indicators:

Not applicable - local exploitation only

SIEM Query:

process.name:"wrestool" AND (event.action:"segmentation_fault" OR event.outcome:"failure")

📊 Metadata

CVE ID: CVE-2017-5332

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-119

Published: November 4, 2019

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00024.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00025.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00026.html Mailing List,Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2017-0837.html Third Party Advisory
http://www.debian.org/security/2017/dsa-3765 Third Party Advisory
http://www.openwall.com/lists/oss-security/2017/01/11/3 Mailing List,Patch,Third Party Advisory
http://www.securityfocus.com/bid/95380 Third Party Advisory,VDB Entry
http://www.ubuntu.com/usn/USN-3178-1 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1412263 Issue Tracking,Patch,Third Party Advisory
https://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=1aa9f28f7bcbdfff6a84a15ac8d9a87559b1596a Patch,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00024.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00025.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00026.html Mailing List,Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2017-0837.html Third Party Advisory
http://www.debian.org/security/2017/dsa-3765 Third Party Advisory
http://www.openwall.com/lists/oss-security/2017/01/11/3 Mailing List,Patch,Third Party Advisory
http://www.securityfocus.com/bid/95380 Third Party Advisory,VDB Entry
http://www.ubuntu.com/usn/USN-3178-1 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1412263 Issue Tracking,Patch,Third Party Advisory
https://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=1aa9f28f7bcbdfff6a84a15ac8d9a87559b1596a Patch,Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Debian Linux by Debian

Debian Linux by Debian

Enterprise Linux by Redhat

Enterprise Linux Desktop by Redhat

Enterprise Linux Server Aus by Redhat

Enterprise Linux Server Aus by Redhat

Enterprise Linux Server Aus by Redhat

Enterprise Linux Server Aus by Redhat

Enterprise Linux Server Eus by Redhat

Enterprise Linux Server Eus by Redhat

Enterprise Linux Server Eus by Redhat

Enterprise Linux Server Eus by Redhat

Enterprise Linux Server Eus by Redhat

Enterprise Linux Server Tus by Redhat

Enterprise Linux Server Tus by Redhat

Enterprise Linux Server Tus by Redhat

Enterprise Linux Workstation by Redhat

Icoutils by Icoutils Project

Leap by Opensuse

Leap by Opensuse

Opensuse by Opensuse

Ubuntu Linux by Canonical

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Remove icoutils package

Restrict icoutils execution

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities