CVE-2023-42295 – A buffer overflow vulnerability in OpenImageIO'... (How to Fix)

Q: What is the severity of CVE-2023-42295?

CVE-2023-42295 has a CVSS score of 8.8 (HIGH). A buffer overflow vulnerability in OpenImageIO's read_rle_image function allows remote attackers to execute arbitrary code or cause denial of service. This affects systems processing untrusted image files with OpenImageIO v2.4.12.0. Applications using OpenImageIO for image processing are vulnerable when handling malicious input.

📋 TL;DR

A buffer overflow vulnerability in OpenImageIO's read_rle_image function allows remote attackers to execute arbitrary code or cause denial of service. This affects systems processing untrusted image files with OpenImageIO v2.4.12.0. Applications using OpenImageIO for image processing are vulnerable when handling malicious input.

💻 Affected Systems

Products:

OpenImageIO

Versions: v2.4.12.0

Operating Systems: All platforms running OpenImageIO

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using OpenImageIO to process image files is vulnerable when handling untrusted input.

📦 What is this software?

Openimageio by Openimageio

View all CVEs affecting Openimageio →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Denial of service through application crashes when processing malicious image files.

🟢

If Mitigated

Limited impact if proper input validation and sandboxing prevent code execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting a malicious image file that triggers the buffer overflow in the read_rle_image function.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v2.4.13.0 or later

Vendor Advisory: https://github.com/OpenImageIO/oiio/issues/3947

Restart Required: Yes

Instructions:

1. Check current OpenImageIO version. 2. Update to v2.4.13.0 or later via package manager or source compilation. 3. Restart any services using OpenImageIO.

🔧 Temporary Workarounds

Input Validation

all

Implement strict input validation for image files before processing with OpenImageIO.

Sandbox Execution

all

Run OpenImageIO processes in isolated containers or sandboxes to limit impact.

🧯 If You Can't Patch

Restrict image file processing to trusted sources only.
Implement network segmentation to isolate systems using OpenImageIO.

🔍 How to Verify

Check if Vulnerable:

Check OpenImageIO version: oiiotool --version

Check Version:

oiiotool --version

Verify Fix Applied:

Confirm version is v2.4.13.0 or later: oiiotool --version | grep -E '2\.4\.(1[3-9]|[2-9][0-9])'

📡 Detection & Monitoring

Log Indicators:

Application crashes with segmentation faults in OpenImageIO processes
Error logs mentioning read_rle_image or unquantize.c

Network Indicators:

Unusual outbound connections from image processing services

SIEM Query:

source="application.logs" AND ("segmentation fault" OR "OpenImageIO" OR "read_rle_image")

📊 Metadata

CVE ID: CVE-2023-42295

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-190

Published: October 23, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/OpenImageIO/oiio/issues/3947 Exploit,Issue Tracking,Third Party Advisory
https://github.com/OpenImageIO/oiio/issues/3947 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-42295, you might also want to check these: