CVE-2020-35523
📋 TL;DR
An integer overflow vulnerability in libtiff's tif_getimage.c allows attackers to execute arbitrary code when a user opens a malicious TIFF file. This affects any application using vulnerable versions of libtiff to process TIFF images. The vulnerability compromises confidentiality, integrity, and system availability.
💻 Affected Systems
- libtiff
- Applications using libtiff library (ImageMagick, GIMP, various document viewers, etc.)
📦 What is this software?
Libtiff by Libtiff
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through remote code execution leading to data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Local privilege escalation or application crash when processing malicious TIFF files from untrusted sources.
If Mitigated
Denial of service through application crashes if code execution fails.
🎯 Exploit Status
Exploitation requires crafting a malicious TIFF file that triggers the integer overflow. Public proof-of-concept exists in bug reports.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: libtiff 4.2.0 and later
Vendor Advisory: https://gitlab.com/libtiff/libtiff/-/commit/c8d613ef497058fe653c467fc84c70a62a4a71b2
Restart Required: Yes
Instructions:
1. Update libtiff to version 4.2.0 or later. 2. For Linux distributions: Use package manager (apt-get update && apt-get upgrade libtiff5, yum update libtiff, etc.). 3. For Windows: Download updated version from libtiff website. 4. Restart affected applications or services.
🔧 Temporary Workarounds
Disable TIFF processing
allConfigure applications to reject or not process TIFF files
# Application specific - configure image processors to skip TIFF format
Use file type restrictions
allImplement file upload restrictions to block TIFF files
# Web server configuration example for Apache: <FilesMatch "\.(tif|tiff)$">
Require all denied
</FilesMatch>
🧯 If You Can't Patch
- Implement strict file upload filtering to block TIFF files in web applications
- Use application sandboxing or containerization to limit impact of potential exploitation
🔍 How to Verify
Check if Vulnerable:
Check libtiff version: tiffinfo -v or dpkg -l libtiff* | grep ^ii on Debian/Ubuntu, rpm -qa | grep libtiff on RHEL/FedoraCheck Version:
tiffinfo -v 2>/dev/null | head -1 || dpkg -l libtiff* 2>/dev/null | grep ^ii || rpm -qa | grep libtiffVerify Fix Applied:
Confirm libtiff version is 4.2.0 or higher: tiffinfo -v should show version 4.2.0+📡 Detection & Monitoring
Log Indicators:
- Application crashes when processing TIFF files
- Unexpected process spawning from image processing applications
- Memory access violation errors in application logs
Network Indicators:
- Unusual outbound connections from image processing services
- TIFF file downloads from suspicious sources
SIEM Query:
source="application.logs" AND ("segmentation fault" OR "access violation" OR "libtiff") AND ("tif" OR "tiff")🔗 References
- https://bugzilla.redhat.com/show_bug.cgi?id=1932040
- https://gitlab.com/libtiff/libtiff/-/commit/c8d613ef497058fe653c467fc84c70a62a4a71b2
- https://gitlab.com/libtiff/libtiff/-/merge_requests/160
- https://lists.debian.org/debian-lts-announce/2021/06/msg00023.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BMHBYFMX3D5VGR6Y3RXTTH3Q4NF4E6IG/
- https://security.gentoo.org/glsa/202104-06
- https://security.netapp.com/advisory/ntap-20210521-0009/
- https://www.debian.org/security/2021/dsa-4869
- https://bugzilla.redhat.com/show_bug.cgi?id=1932040
- https://gitlab.com/libtiff/libtiff/-/commit/c8d613ef497058fe653c467fc84c70a62a4a71b2
- https://gitlab.com/libtiff/libtiff/-/merge_requests/160
- https://lists.debian.org/debian-lts-announce/2021/06/msg00023.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BMHBYFMX3D5VGR6Y3RXTTH3Q4NF4E6IG/
- https://security.gentoo.org/glsa/202104-06
- https://security.netapp.com/advisory/ntap-20210521-0009/
- https://www.debian.org/security/2021/dsa-4869
