CVE-2022-0908
📋 TL;DR
This vulnerability in libtiff allows an attacker to cause denial of service by passing a null pointer to memcpy() when processing specially crafted TIFF files. The flaw occurs in the TIFFFetchNormalTag() function and affects applications that use libtiff to parse TIFF images. Systems using libtiff versions up to 4.3.0 are vulnerable.
💻 Affected Systems
- libtiff
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Libtiff by Libtiff
⚠️ Risk & Real-World Impact
Worst Case
Complete application crash leading to denial of service, potentially affecting availability of services that process TIFF files.
Likely Case
Application crash when processing malicious TIFF files, causing temporary service disruption.
If Mitigated
No impact if patched or if TIFF file processing is restricted to trusted sources.
🎯 Exploit Status
Exploitation requires only a crafted TIFF file; no authentication needed. Public proof-of-concept exists in the GitLab issue.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: libtiff 4.4.0 and later
Vendor Advisory: https://gitlab.com/libtiff/libtiff/-/commit/a95b799f65064e4ba2e2dfc206808f86faf93e85
Restart Required: Yes
Instructions:
1. Update libtiff to version 4.4.0 or later. 2. For Linux: Use package manager (apt-get update && apt-get upgrade libtiff5, yum update libtiff, etc.). 3. For Windows: Download updated version from libtiff website. 4. Recompile applications if using static linking. 5. Restart affected services.
🔧 Temporary Workarounds
Restrict TIFF file processing
allBlock or validate TIFF files from untrusted sources before processing.
Use file type validation
allImplement strict file type validation to reject malformed TIFF files.
🧯 If You Can't Patch
- Implement network filtering to block TIFF files from untrusted sources.
- Deploy application-level controls to validate TIFF files before processing.
🔍 How to Verify
Check if Vulnerable:
Check libtiff version: tiffinfo --version or check package version via package manager.Check Version:
tiffinfo --version 2>&1 | head -1Verify Fix Applied:
Confirm libtiff version is 4.4.0 or later and test with known malicious TIFF file.📡 Detection & Monitoring
Log Indicators:
- Application crashes with segmentation faults when processing TIFF files
- Error logs containing memcpy or TIFFFetchNormalTag failures
Network Indicators:
- Unusual TIFF file uploads to web applications
- TIFF files with abnormal structure
SIEM Query:
source="application.log" AND ("segmentation fault" OR "memcpy" OR "TIFFFetchNormalTag")🔗 References
- https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0908.json
- https://gitlab.com/libtiff/libtiff/-/commit/a95b799f65064e4ba2e2dfc206808f86faf93e85
- https://gitlab.com/libtiff/libtiff/-/issues/383
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RNT2GFNRLOMKJ5KXM6JIHKBNBFDVZPD3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQ4E654ZYUUUQNBKYQFXNK2CV3CPWTM2/
- https://security.gentoo.org/glsa/202210-10
- https://security.netapp.com/advisory/ntap-20220506-0002/
- https://www.debian.org/security/2022/dsa-5108
- https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0908.json
- https://gitlab.com/libtiff/libtiff/-/commit/a95b799f65064e4ba2e2dfc206808f86faf93e85
- https://gitlab.com/libtiff/libtiff/-/issues/383
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RNT2GFNRLOMKJ5KXM6JIHKBNBFDVZPD3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQ4E654ZYUUUQNBKYQFXNK2CV3CPWTM2/
- https://security.gentoo.org/glsa/202210-10
- https://security.netapp.com/advisory/ntap-20220506-0002/
- https://www.debian.org/security/2022/dsa-5108
