Vulnerabilities discovered by Tyler Bohan from Talos
Talos is disclosing two denial-of-service vulnerabilities in Pixar’s Renderman application. Renderman is a rendering application used in animation and film production. It is widely used for advanced rendering and shading in many large-scale environments. Both vulnerabilities are due to the lack of proper validation during the parsing process of network packets.
Pixar remedied these vulnerabilities in RenderMan version 21.7
TALOS-2018-0523 / CVE-2018-3840
An attacker could send a malformed TCP packet to port 4001 using the ‘0x67’ command that is not followed by one of the four values (0x00 - 0x03) permitted for the subsequent byte. Due to a lack of input validation, a null pointer dereference is caused, as well as a denial of service. You can read more details in the Talos Vulnerability Report.
TALOS-2018-0524 / CVE-2018-3841
This vulnerability is caused by a very similar issue as described in TALOS-2018-0523. The only difference is that a potential attacker supplies a packet containing the ‘0x69’ command, followed by more than one byte of data to trigger the vulnerability. You can read more details in the Talos Vulnerability Report.
The following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.
Snort Rule: 45610, 45604
Overview
Talos is disclosing two denial-of-service vulnerabilities in Pixar’s Renderman application. Renderman is a rendering application used in animation and film production. It is widely used for advanced rendering and shading in many large-scale environments. Both vulnerabilities are due to the lack of proper validation during the parsing process of network packets.
Pixar remedied these vulnerabilities in RenderMan version 21.7
Details
TALOS-2018-0523 / CVE-2018-3840
An attacker could send a malformed TCP packet to port 4001 using the ‘0x67’ command that is not followed by one of the four values (0x00 - 0x03) permitted for the subsequent byte. Due to a lack of input validation, a null pointer dereference is caused, as well as a denial of service. You can read more details in the Talos Vulnerability Report.
TALOS-2018-0524 / CVE-2018-3841
This vulnerability is caused by a very similar issue as described in TALOS-2018-0523. The only difference is that a potential attacker supplies a packet containing the ‘0x69’ command, followed by more than one byte of data to trigger the vulnerability. You can read more details in the Talos Vulnerability Report.
Coverage
The following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.
Snort Rule: 45610, 45604