Date: 11 December 2006
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2006.0901 -- [Win][Linux][HP-UX][AIX]
Multiple Vendor Antivirus RAR File Denial of Service Vulnerability
11 December 2006
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Sophos Small business edition 4.06.1 (engine 2.34.3)
Trend Micro PC-Cillin Internet Security 2006
Trend Micro Office San 7.3
Trend Micro Server Protect 5.58
Publisher: iDEFENSE
Operating System: Windows
Linux variants
HP-UX
AIX
Impact: Denial of Service
Access: Remote/Unauthenticated
CVE Names: CVE-2006-5645
Original Bulletin:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=439
- --------------------------BEGIN INCLUDED TEXT--------------------
Multiple Vendor Antivirus RAR File Denial of Service Vulnerability
iDefense Security Advisory 12.08.06
http://labs.idefense.com/intelligence/vulnerabilities/
Dec 08, 2006
I. BACKGROUND
AntiVirus products typically handle searching files for known viruses
within their scan engines. Most scan engines support searching inside of
known archive types for viruses as well. For more information refer to
any of the popular AntiVirus vendors' web sites.
II. DESCRIPTION
Remote exploitation of a denial of service vulnerability in Multiple
Vendors' Antivirus engines allows an attacker to cause the engines to
consume excessive resources.
The affected vendors' scan engines are vulnerable to a DoS attack when
scanning specially malformed RAR archives. Specifically, the malformed
archives will have the head_size and pack_size fields set to zero in
Archive Header section. When such a file is encountered, the affected scan
engines will enter an infinite loop.
III. ANALYSIS
Successful exploitation will allow an attacker to cause the affected scan
engine to consume excessive CPU, and in some cases memory, resources. The
malicious RAR file would need to be uploaded to a server to initiate the
attack. Several common ways this could be achived are e-mail attachments,
available network shares, FTP accounts, or Web form uploads.
The impact of the vulnerability varies slightly from vendor to vendor as
described below.
Sophos:
Scanning of archives is not enabled by default and must be specified by
the user. This denial of service attack will prevent the scanner from
scanning other files on disk while it is stuck on the exploit file. The
hung process can be stopped by the user.
Trend Micro:
Once attacked, the scan engine will consume 99 percent of CPU resources and
the affected computer will require a reboot to recover from the condition.
The scan engine process cannot be forced to quit, although its thread
priority can be lowered to regain some use of the system before reboot.
IV. DETECTION
iDefense has confirmed this vulnerability exists in the following vendors'
products. This should not be considered an exhaustive list as these vendors
tend to include the scan engine in many of their products. Previous
versions are likely to be affected as well.
* Sophos Small business edition (Windows/Linux) 4.06.1 with
engine version 2.34.3.
* Trend Micro PC Cillin - Internet Security 2006
* Trend Micro Office Scan 7.3
* Trend Micro Server Protect 5.58
V. WORKAROUND
For Sophos' scan engine, this exploit will not have any effect if the
"Enabled scanning of archives" option is not set. iDefense is currently
unaware of a workaround for this issue for the remaining vendor's engines.
VI. VENDOR RESPONSE
Sophos has addressed this problem with new versions of their products. See
http://www.sophos.com/support/knowledgebase/article/7609.html for more
information.
Trend Micro stated that this vulnerability does not affect version 8.320 of
their Windows scan engine. Additionally, they have released version 8.150
of the HPUX and AIX builds of their scan engine to address this problem in
those environments.
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2006-5645 to this issue. This is a candidate for inclusion in the
CVE list (http://cve.mitre.org), which standardizes names for security
problems.
VIII. DISCLOSURE TIMELINE
09/27/2006 Initial vendor notifications
09/27/2006 Initial vendor response - Trend Micro
09/28/2006 Initial vendor response - Sophos
12/08/2006 Coordinated public disclosure
IX. CREDIT
The vulnerability was reported by Titon of BastardLabs, Damian Put
<pucik@overflow.pl>, and an anonymous researcher.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright © 2006 iDefense, Inc.
Permission is granted for the redistribution of this alert electronically.
It may not be edited in any way without the express written consent of
iDefense. If you wish to reprint the whole or any part of this alert in
any other medium other than electronically, please email
customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate at
the time of publishing based on currently available information. Use of
the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on, this
information.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRXzGVSh9+71yA2DNAQKDlQP/aFYeWv3Y/xs/CVLPHEN8vOmXUK3b7rtk
PXRZxSVwzDMKS/+rPgt1vrxvcLuVVLhWQrtKcdK5fgv9eOFzp4WjsPazDVV9YPjh
+VACObT5DlDTJUEQnxql+9b3eRdqogu+hctiX4DXYpd3iphBp3gM4VUTVQ7UaSLj
sw3xHbygw+M=
=8oxO
-----END PGP SIGNATURE-----
|