A critical Use After Free vulnerability exists in the iccDEV color management libraries, affecting multiple products using versions 2.3.1 and below. This flaw can be triggered when an application processes a specially crafted file, potentially allowing an attacker to execute arbitrary code and gain full control of the affected system. Due to the high severity, immediate patching is required to prevent a potential system compromise.

The vulnerability is a Use After Free (UAF) condition within the CIccXform::Create() function of the iccDEV library. In vulnerable versions, a memory object (hint) is deallocated (freed) but a pointer to it is kept. Later, the program attempts to use this pointer, which now points to invalid memory. An attacker can exploit this by crafting a malicious file (such as an image with a specially designed ICC color profile) that, when processed by an application using the vulnerable library, manipulates memory to place malicious code in the freed location. Successful exploitation leads to arbitrary code execution in the context of the user running the application or a denial-of-service condition through an application crash.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could lead to a complete compromise of the system where the vulnerable software is running. An attacker could execute code remotely, allowing them to install malware, exfiltrate sensitive data, disrupt business operations, or use the compromised system as a pivot point to attack other internal network resources. The business risk is significant for any system that processes untrusted files using software dependent on the vulnerable iccDEV library, such as graphic design workstations, web servers that process image uploads, or document management systems.

Immediate Action: Identify all systems and applications that utilize the iccDEV library and update them to the patched version 2.3.1.1 or later. Prioritize patching on internet-facing systems and critical workstations that process files from external sources. After patching, monitor for any signs of exploitation attempts and review relevant application and system logs for unusual activity preceding the update.

Proactive Monitoring: Implement enhanced monitoring for applications that use the iccDEV library. Look for unusual application crashes, especially those related to file processing. Monitor for suspicious child processes spawning from the affected applications. Analyze network traffic for unexpected outbound connections from systems running the software, which could indicate a successful compromise. Review security logs for memory corruption errors or access violations tied to the vulnerable processes.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Restrict File Processing: Block or quarantine files from untrusted or external sources until they can be scanned in an isolated environment.
• Application Sandboxing: Run the affected applications in a sandbox or container to limit the impact of a potential exploit, preventing it from affecting the underlying operating system.
• Endpoint Detection and Response (EDR): Ensure EDR solutions are deployed and configured to detect and block anomalous process behavior and memory manipulation techniques commonly used in UAF exploits.

Public Exploit Available: false

Given the critical CVSS score of 9.8, this vulnerability poses a severe risk to the organization. We strongly recommend that all system owners immediately identify and patch affected software to version 2.3.1.1 or a later release. This vulnerability should be treated with the highest priority. Although it is not yet on the CISA KEV list, the potential for remote code execution means that proactive patching is essential to prevent future exploitation and a potential system compromise.