CVE-2021-32614 – This is an out-of-bounds read vulnerability in ... (How to Fix)

Q: What is the severity of CVE-2021-32614?

CVE-2021-32614 has a CVSS score of 7.1 (HIGH). This is an out-of-bounds read vulnerability in dmg2img versions through 20170502. An attacker can trigger a buffer overflow by providing a specially crafted DMG file, potentially leading to information disclosure or memory corruption. Anyone using dmg2img to convert Apple DMG disk images is affected.

📋 TL;DR

This is an out-of-bounds read vulnerability in dmg2img versions through 20170502. An attacker can trigger a buffer overflow by providing a specially crafted DMG file, potentially leading to information disclosure or memory corruption. Anyone using dmg2img to convert Apple DMG disk images is affected.

💻 Affected Systems

Products:

dmg2img

Versions: All versions through 20170502

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems where dmg2img is installed and used to process DMG files.

📦 What is this software?

Dmg2img by Dmg2img Project

View all CVEs affecting Dmg2img →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Memory layout information leakage could enable attackers to bypass ASLR and chain with other vulnerabilities to achieve remote code execution.

🟠

Likely Case

Information disclosure through memory leak, potentially exposing sensitive data or system information.

🟢

If Mitigated

Minimal impact if proper input validation and memory protections are in place.

🌐 Internet-Facing: LOW - dmg2img is typically a local utility, not internet-facing.

🏢 Internal Only: MEDIUM - Users processing untrusted DMG files could be exploited.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires user to process a malicious DMG file. No public exploit code is known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 20170502

Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=1959911

Restart Required: No

Instructions:

1. Check current dmg2img version. 2. Update to latest version from official repository. 3. Recompile if using source. 4. Verify fix with test DMG files.

🔧 Temporary Workarounds

Avoid processing untrusted DMG files

all

Do not use dmg2img on DMG files from untrusted sources.

🧯 If You Can't Patch

Remove dmg2img from systems where it's not essential
Implement strict file validation and only process DMG files from trusted sources

🔍 How to Verify

Check if Vulnerable:

Check dmg2img version: dmg2img --version | grep -q '20170502' && echo 'VULNERABLE'

Check Version:

dmg2img --version

Verify Fix Applied:

Ensure version is newer than 20170502: dmg2img --version

📡 Detection & Monitoring

Log Indicators:

Process crashes or abnormal termination of dmg2img
Large memory allocation failures

Network Indicators:

N/A - local utility

SIEM Query:

process.name='dmg2img' AND (event.action='crash' OR event.outcome='failure')

📊 Metadata

CVE ID: CVE-2021-32614

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

CWE: CWE-125

Published: May 26, 2021

Last Updated: November 21, 2024

🔗 References

https://bugzilla.redhat.com/show_bug.cgi?id=1959911 Issue Tracking,Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1959911 Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-32614, you might also want to check these: