Vulnerabilities in Popular Fonts Allow XXE & Arbitrary Command Attacks

The modern fonts ordinary in web construction and have would possibly per chance well even be exploited to open XML Exterior Entity (XXE) attacks and carry out arbitrary commands.

These vulnerabilities, identified as CVE-2023-45139, CVE-2024-25081, and CVE-2024-25082, pose a well-known probability, taking into consideration XML Exterior Entity (XXE) attacks and arbitrary mutter execution.

This poses a well-known security probability to customers and organizations using these fonts.

This discovery underscores the normally-uncared for security dangers connected with font rendering in application applications and running methods.

CVE-2023-45139 – Won in translation

CVE-2023-45139 highlights a well-known vulnerability in FontTools, a flexible Python library for font manipulation, specifically in going via SVG tables in OpenType fonts.

This flaw stems from the library’s use of the LXML XML parser, which resolves external entities by default. Attackers would possibly per chance well exploit this by crafting malicious XML stutter material within SVG tables, main to an XML Exterior Entity (XXE) attack.

This vulnerability turn into once demonstrated via a proof of opinion the keep the /and quite a bit others/passwd file is inclined to be embedded within a font file, potentially exposing sensitive system knowledge.

The distress turn into once responsibly disclosed to the FontTools maintainers, who promptly addressed it by disabling entity resolution within the XML parser. This repair turn into once launched in a subsequent replace, mitigating the probability posed by this vulnerability.

Canva has identified explicit vulnerabilities that come up while exploring font processing tools.

The watch sheds gentle on the that you just would possibly per chance additionally imagine security threats and demonstrates how these problems can manifest in such tools.

CVE-2024-25081 – :(){ :|:& };:.zip

Marked by its skill to permit XXE attacks, CVE-2024-25081 opens the door for attackers to intervene with the processing of XML files.

By blueprint of such attacks, perpetrators can trigger denial of provider, set aside unauthorized operations, and even receive entry to sensitive knowledge by referencing external entities within a compromised XML doc.

CVE-2024-25082 – Font tartare

Akin to CVE-2024-25081, this vulnerability also facilitates XXE attacks. Then yet yet again, it distinguishes itself via the particular mechanisms and contexts in which it would possibly per chance even be exploited, providing attackers yet any other avenue to manipulate XML processing for wicked capabilities.

The vulnerabilities straight influence the safety of modern fonts, as they exploit weaknesses within the font rendering processes ordinary by varied application applications and running methods.

Fonts, an integral portion of digital aesthetics, are ubiquitous in digital environments, making this distress specifically pervasive.

The affected methods span a ideal preference, from web browsers and doc readers to running methods that depend upon font-rendering engines to display conceal textual stutter material.

Because the digital world continues to evolve, so terminate the challenges of putting forward security and privateness.

All stakeholders need to remain vigilant, instructed, and prepared to act in opposition to threats developing from unexpected quarters.

That you just would possibly per chance block malware, alongside with Trojans, ransomware, spyware and adware, rootkits, worms, and 0-day exploits, with Perimeter81 malware protection. All are incredibly unsightly, can wreak havoc, and ruin your network.

Defend up thus a long way on Cybersecurity news, Whitepapers, and Infographics. Apply us on LinkedIn & Twitter.