CVE-2018-3840

Vulnerability

The vulnerability exists in the Pixar Renderman IT Display Service 21.6 (0x67). The service is part of the Renderman rendering application used in animation and film production. The IT Display Service listens on port 4001 for connections from any host and receives packets containing information about where to find an image for rendering. The vulnerability is present in the parsing of a network packet without proper validation: after a direct socket read in the command 0x67, the data read is not validated, and its use can lead to a null pointer dereference. The affected version is Renderman 21.6 [1].

Exploitation

An attacker can deliver an attack once the application has been opened by a user. The attacker needs network access to the target machine and can send a crafted packet to port 4001 without any authentication. The first byte of the packet is parsed in a command loop, and the 0x67 command triggers a socket read of attacker-controlled data. Due to lack of validation, this can result in a null pointer dereference [1].

Impact

Successful exploitation leads to a denial-of-service condition. The application crashes due to a null pointer dereference (CWE-476). The impact is limited to availability (CIA: No impact to confidentiality or integrity). The CVSSv3 score is 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) [1].

Mitigation

As of the publication date (2018-06-26), the vendor Pixar had not yet released a patch for Renderman 21.6. Users are advised to restrict network access to port 4001 and to monitor for updates from Pixar. This vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the analysis date [1].