9.3 - VU#680540

Executive Summary

Summary
Title	ICQ 7 fails to verify the origin of software updates

Informations
Name	VU#680540	First vendor Publication	2011-01-13
Vendor	VU-CERT	Last vendor Modification	2011-01-13
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score	9.3	Attack Range	Network
Cvss Impact Score	10	Attack Complexity	Medium
Cvss Expoit Score	8.6	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#680540

ICQ 7 fails to verify the origin of software updates

Overview

ICQ 7 does not verify the origin of automatic updates which may allow a remote attacker to execute arbitrary code.

I. Description

According to ICQ's website: "ICQ, the pioneer of Instant Messaging (IM), now offers the optimal integration between Instant Messaging and Social Networks with the newest ICQ version – the Social Messaging tool that can be downloaded free of charge at www.icq.com." ICQ 7 checks for updates on start-up but does not verify the origin of updates through digital signatures or other means. An attacker who can successfully spoof update.icq.com using a man-in-the-middle attack, DNS poisoning, or some other means can cause the client to download a malicious software update.

II. Impact

By successfully spoofing the update site, an attacker may be able to execute arbitrary code with the privileges of the user.

III. Solution

We are currently unaware of a practical solution to this problem.

Vendor Information

Vendor	Status	Date Notified	Date Updated
Digital Sky Technologies	Affected		2011-01-13

References

Credit

Thanks to Daniel Seither for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

Date Public:	2011-01-13
Date First Published:	2011-01-13
Date Last Updated:	2011-01-13
CERT Advisory:
CVE-ID(s):
NVD-ID(s):
US-CERT Technical Alerts:
Severity Metric:	13.16
Document Revision:	13

Original Source

Url : http://www.kb.cert.org/vuls/id/680540

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-94	Failure to Control Generation of Code ('Code Injection')

CPE : Common Platform Enumeration

Type	Description	Count
Application	Icq cpe:2.3:a:icq:icq:7:::::::*	1

OpenVAS Exploits

Date	Description
2011-01-21	Name : ICQ 7 Instant Messaging Client Remote Code Execution Vulnerability File : nvt/gb_icq_remote_code_exec_vuln.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
70486	ICQ Automatic Update Authenticity Verification Weakness Arbitrary Code Execution ICQ contains a flaw related to the verification of update authenticity. This may allow a man-in-the-middle attacker to use a crafted file fetched through an automatic update to execute arbitrary code.

Global Informations

Type	Count
CWE ID(s)	1
CPE ID(s)	1
osvdb(s)	1
Openvas Exploit(s)	1

	Related
9.3	CVE-2011-0487
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 1 more Alert(s)