CVE-2021-21795 – A heap-based buffer overflow vulnerability in A... (How to Fix)

Q: What is the severity of CVE-2021-21795?

CVE-2021-21795 has a CVSS score of 9.8 (CRITICAL). A heap-based buffer overflow vulnerability in Accusoft ImageGear's PSD parsing allows remote code execution when processing malicious files. This affects systems using ImageGear 19.9 for image processing, potentially enabling attackers to take full control of vulnerable systems.

📋 TL;DR

A heap-based buffer overflow vulnerability in Accusoft ImageGear's PSD parsing allows remote code execution when processing malicious files. This affects systems using ImageGear 19.9 for image processing, potentially enabling attackers to take full control of vulnerable systems.

💻 Affected Systems

Products:

Accusoft ImageGear

Versions: 19.9

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using ImageGear library to process PSD files with ICC profiles is vulnerable.

📦 What is this software?

Imagegear by Accusoft

View all CVEs affecting Imagegear →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with SYSTEM/root privileges leading to complete system compromise, data theft, and lateral movement.

🟠

Likely Case

Remote code execution with application user privileges, allowing file system access, data exfiltration, and persistence establishment.

🟢

If Mitigated

Denial of service through application crash if memory protections are enabled, but no code execution.

🌐 Internet-Facing: HIGH - Malicious files can be uploaded via web interfaces or email attachments to trigger exploitation.

🏢 Internal Only: MEDIUM - Requires user interaction to open malicious files, but internal file shares and email increase attack surface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof-of-concept available in Talos advisory. Exploitation requires user to open malicious file but no authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 19.10 or later

Vendor Advisory: https://www.accusoft.com/products/imagegear/

Restart Required: Yes

Instructions:

1. Download ImageGear 19.10+ from Accusoft portal. 2. Uninstall current version. 3. Install updated version. 4. Restart affected applications/services.

🔧 Temporary Workarounds

File Type Restriction

all

Block PSD files with ICC profiles at network perimeter and application level.

Application Sandboxing

all

Run ImageGear applications with reduced privileges and memory protections.

🧯 If You Can't Patch

Implement strict file upload validation rejecting PSD files with ICC profiles
Deploy application control to prevent execution of ImageGear processes from untrusted locations

🔍 How to Verify

Check if Vulnerable:

Check ImageGear version in application dependencies or library files for version 19.9.

Check Version:

Check application manifest or library properties for ImageGear version information.

Verify Fix Applied:

Verify ImageGear version is 19.10 or higher and test with known malicious PSD files.

📡 Detection & Monitoring

Log Indicators:

Application crashes with memory access violations
Unusual process spawning from ImageGear applications

Network Indicators:

Uploads of PSD files to web applications
Network connections from ImageGear processes to suspicious IPs

SIEM Query:

source="application.log" AND ("ImageGear" AND ("crash" OR "access violation")) OR process_name="*ImageGear*" AND parent_process!="explorer.exe"

📊 Metadata

CVE ID: CVE-2021-21795

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-122

Published: June 11, 2021

Last Updated: November 21, 2024

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2021-1264 Exploit,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2021-1264 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21795, you might also want to check these: