CVE-2018-6767
📋 TL;DR
A stack-based buffer over-read vulnerability in WavPack's RF64 file parser allows attackers to cause denial-of-service or potentially execute arbitrary code by crafting malicious audio files. This affects systems processing untrusted WavPack files, particularly media servers, audio processing tools, and applications using the library. The vulnerability is triggered when parsing specially crafted RF64 audio files.
💻 Affected Systems
- WavPack
- Applications using WavPack library
📦 What is this software?
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Wavpack by Wavpack
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise if the buffer over-read can be leveraged for arbitrary code execution.
Likely Case
Denial-of-service through application crashes when processing malicious files, potentially disrupting audio processing services.
If Mitigated
Limited to application crashes with proper sandboxing and privilege separation in place.
🎯 Exploit Status
Exploitation requires the victim to process a malicious RF64 file. Public proof-of-concept exists demonstrating crash/DoS.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: WavPack 5.1.1 and later
Vendor Advisory: https://github.com/dbry/WavPack/commit/d5bf76b5a88d044a1be1d5656698e3ba737167e5
Restart Required: No
Instructions:
1. Update WavPack to version 5.1.1 or later. 2. For Linux distributions, use package manager: 'sudo apt update && sudo apt upgrade wavpack' (Debian/Ubuntu) or 'sudo yum update wavpack' (RHEL/CentOS). 3. For source installations, download latest from GitHub and recompile.
🔧 Temporary Workarounds
Disable RF64 file processing
allConfigure applications to reject RF64 format WavPack files if not required.
Application-specific configuration required
Input validation
allImplement file type validation before processing WavPack files.
Implement file signature checking in application code
🧯 If You Can't Patch
- Implement strict file upload controls and scanning for audio processing systems
- Run WavPack processing in isolated containers with minimal privileges
🔍 How to Verify
Check if Vulnerable:
Check WavPack version: 'wavpack --version' or 'dpkg -l | grep wavpack' or 'rpm -q wavpack'. If version is 5.1.0 or earlier, system is vulnerable.Check Version:
wavpack --version 2>/dev/null | head -1Verify Fix Applied:
Confirm version is 5.1.1 or later using version check commands. Test with known malicious RF64 file in controlled environment.📡 Detection & Monitoring
Log Indicators:
- Application crashes when processing audio files
- Segmentation faults in WavPack processes
- Unexpected termination of audio processing services
Network Indicators:
- Unusual uploads of RF64 audio files to media processing endpoints
SIEM Query:
process_name:"wavpack" AND (event_type:"crash" OR exit_code:139)🔗 References
- http://packetstormsecurity.com/files/155743/Slackware-Security-Advisory-wavpack-Updates.html
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889276
- https://github.com/dbry/WavPack/commit/d5bf76b5a88d044a1be1d5656698e3ba737167e5
- https://github.com/dbry/WavPack/issues/27
- https://seclists.org/bugtraq/2019/Dec/37
- https://usn.ubuntu.com/3568-1/
- https://www.debian.org/security/2018/dsa-4125
- http://packetstormsecurity.com/files/155743/Slackware-Security-Advisory-wavpack-Updates.html
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889276
- https://github.com/dbry/WavPack/commit/d5bf76b5a88d044a1be1d5656698e3ba737167e5
- https://github.com/dbry/WavPack/issues/27
- https://seclists.org/bugtraq/2019/Dec/37
- https://usn.ubuntu.com/3568-1/
- https://www.debian.org/security/2018/dsa-4125
