Security-Alerts mailing list archive (security-alerts@yandex-team.ru)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[security-alerts] FW: iDefense Security Advisory 02.15.07: Multiple Vendor ClamAV CAB FileDenial of Service Vulnerability
И еще одна уязвимость в clamav - правда, существенно менее опасная.
Словом, надо обновляться...
> -----Original Message-----
> From:
> idlabs-advisories-bounces+vladimir.kazennov=billing.ru@idefens
> e.com
> [mailto:idlabs-advisories-bounces+vladimir.kazennov=billing.ru
> @idefense.com] On Behalf Of iDefense Labs Security Advisories
> Sent: Thursday, February 15, 2007 9:50 PM
> To: iDefense Labs Security Advisories
> Subject: iDefense Security Advisory 02.15.07: Multiple Vendor
> ClamAV CAB FileDenial of Service Vulnerability
>
> Multiple Vendor ClamAV CAB File Denial of Service Vulnerability
>
> iDefense Security Advisory 02.15.07
>
> Feb 15, 2007
>
> I. BACKGROUND
>
> Clam AntiVirus is a multi-platform GPL anti-virus toolkit.
> The main purpose
> of which is integration into electronic mail servers. More information
> about ClamAV can be found at . Microsoft
> CAB files are
> the native compressed file format for Windows.
>
> II. DESCRIPTION
>
> Remote exploitation of a resource consumption vulnerability in Clam
> AntiVirus' ClamAV allows attackers to degrade the service of the clamd
> scanner.
>
> The vulnerability specifically exists due to a file
> descriptor leak. When
> clam encounters a cabinet header with a record length of zero it will
> return from a function without closing a local file
> descriptor. This can
> be triggered multiple times, eventually using up all but three of its
> available file descriptors. This prevents clam from scanning most
> archives, including zip and tar files.
>
> III. ANALYSIS
>
> Exploitation allows attackers to degrade the functionality of
> the ClamAV
> virus scanning service. Exploitation requires that attackers send a
> specially constructed CAB file through an e-mail gateway or personal
> anti-virus client using the ClamAV scanning engine.
>
> When ClamAV is unable to scan an archive successfully because
> it has run
> out of descriptors, it will return an error status. Several
> mail servers
> that use clam were tested to see how they handled this
> status. Exim, as of
> version 4.50, features an option to build clamd support into
> it. It will
> reject a mail if clamd fails to scan it properly. Amavisd
> will also deny a
> mail that clamd cannot properly scan. This vulnerability can
> be used to
> deny service to users trying to send legitimate archives
> through the mail
> gateway.
>
> IV. DETECTION
>
> iDefense has confirmed this vulnerability affects Clam
> AntiVirus ClamAV
> v0.90RC1.1. All versions prior to the 0.90 stable release are
> suspected
> to be
> vulnerable.
>
> V. WORKAROUND
>
> iDefense is unaware of any effective workarounds for this issue.
>
> VI. VENDOR RESPONSE
>
> Clam AntiVirus has addressed this vulnerability in the
> version 0.90 stable
> release.
>
> VII. CVE INFORMATION
>
> The Common Vulnerabilities and Exposures (CVE) project has
> assigned the
> name CVE-2007-0897 to this issue. This is a candidate for inclusion in
> the CVE list (), which standardizes names for
> security problems.
>
> VIII. DISCLOSURE TIMELINE
>
> 02/07/2007 Initial vendor notification
> 02/13/2007 Initial vendor response
> 02/15/2007 Coordinated public disclosure
>
> IX. CREDIT
>
> The discoverer of this vulnerability wishes to remain anonymous.
>
> Get paid for vulnerability research
>
>
> Free tools, research and upcoming events
>
>
> X. LEGAL NOTICES
>
> Copyright © 2006 iDefense, Inc.
>
> Permission is granted for the redistribution of this alert
> electronically.
> It may not be edited in any way without the express written consent of
> iDefense. If you wish to reprint the whole or any part of
> this alert in
> any other medium other than electronically, please e-mail
> customerservice@xxxxxxxxxxxx for permission.
>
> Disclaimer: The information in the advisory is believed to be
> accurate at
> the time of publishing based on currently available
> information. Use of
> the information constitutes acceptance for use in an AS IS condition.
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any
> direct, indirect,
> or consequential loss or damage arising from use of, or
> reliance on, this
> information.
> _______________________________________________
> To unsubscribe, go here:
>
>
|
