Executive Summary
| Summary | |
|---|---|
| Title | ClamAV upack heap buffer overflow vulnerability |
| Informations | |||
|---|---|---|---|
| Name | VU#858595 | First vendor Publication | 2008-04-21 |
| Vendor | VU-CERT | Last vendor Modification | 2008-04-29 |
| Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C) | |||
|---|---|---|---|
| Cvss Base Score | 10 | Attack Range | Network |
| Cvss Impact Score | 10 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
Vulnerability Note VU#858595ClamAV upack heap buffer overflow vulnerabilityOverviewThe ClamAV anti-virus scanner contains a vulnerability that may allow an attacker to execute code or cause ClamAV to crash.I. DescriptionThe Portable Executable (PE) file format is a file format for executable files that is used in Microsoft Windows. PE files can be packed with executable packers, such as upack. The ClamAV anti-virus scanner can unpack and scan PE files that are packed with upack.From ClamAV bug ID 878:
The vulnerability is caused due to a boundary error within the "cli_scanpe()" function in libclamav/pe.c. This can be exploited to cause a heap-based buffer overflow via a specially crafted "Upack" executable. Note that the ClamAV team has disabled the scanning of PE files that were packed with upack in older versions of ClamAV to prevent this vulnerability from being exploited. II. ImpactA remote, unauthenticated attacker may be able to execute arbitrary code or cause ClamAV to crash.III. SolutionUpgradeUsers are encouraged to upgrade to ClamAV .93, which was released to address this issue. Note that because of a workaround applied by the ClamAV team, ClamAV versions prior to .93 may not be able to scan PE files that were packed with the upack packer.
References
Thanks to Secunia Research and the ClamAV team for information that was used in this report. This document was written by Ryan Giobbi.
|
Original Source
| Url : http://www.kb.cert.org/vuls/id/858595 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 2 |
OpenVAS Exploits
| Date | Description |
|---|---|
| 2010-05-12 | Name : Mac OS X 10.5.5 Update / Security Update 2008-006 File : nvt/macosx_upd_10_5_5_secupd_2008-006.nasl |
| 2009-10-10 | Name : SLES9: Security update for clamav File : nvt/sles9p5023300.nasl |
| 2009-04-09 | Name : Mandriva Update for clamav MDVSA-2008:088 (clamav) File : nvt/gb_mandriva_MDVSA_2008_088.nasl |
| 2009-02-17 | Name : Fedora Update for clamav FEDORA-2008-3358 File : nvt/gb_fedora_2008_3358_clamav_fc7.nasl |
| 2009-02-17 | Name : Fedora Update for clamav FEDORA-2008-3420 File : nvt/gb_fedora_2008_3420_clamav_fc8.nasl |
| 2009-02-17 | Name : Fedora Update for clamav FEDORA-2008-3900 File : nvt/gb_fedora_2008_3900_clamav_fc9.nasl |
| 2009-02-17 | Name : Fedora Update for clamav FEDORA-2008-6422 File : nvt/gb_fedora_2008_6422_clamav_fc8.nasl |
| 2009-02-17 | Name : Fedora Update for clamav FEDORA-2008-9651 File : nvt/gb_fedora_2008_9651_clamav_fc8.nasl |
| 2009-01-23 | Name : SuSE Update for clamav SUSE-SA:2008:024 File : nvt/gb_suse_2008_024.nasl |
| 2008-09-24 | Name : Gentoo Security Advisory GLSA 200805-19 (clamav) File : nvt/glsa_200805_19.nasl |
| 2008-09-04 | Name : FreeBSD Ports: clamav File : nvt/freebsd_clamav14.nasl |
| 2008-04-21 | Name : Debian Security Advisory DSA 1549-1 (clamav) File : nvt/deb_1549_1.nasl |
| 2008-02-29 | Name : ClamAV < 0.93.1 vulnerability File : nvt/clamav-CB-A08-0001.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 44519 | ClamAV libclamav spin.c Crafted PeSpin Packed PE Binary Handling Overflow |
| 44370 | ClamAV libclamav/pe.c cli_scanpe Function Crafted Upack PE File Handling Remo... |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2009-04-23 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2008-088.nasl - Type : ACT_GATHER_INFO |
| 2008-09-16 | Name : The remote host is missing a Mac OS X update that fixes various security issues. File : macosx_10_5_5.nasl - Type : ACT_GATHER_INFO |
| 2008-09-16 | Name : The remote host is missing a Mac OS X update that fixes various security issues. File : macosx_SecUpd2008-006.nasl - Type : ACT_GATHER_INFO |
| 2008-05-22 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200805-19.nasl - Type : ACT_GATHER_INFO |
| 2008-05-16 | Name : The remote Fedora host is missing a security update. File : fedora_2008-3900.nasl - Type : ACT_GATHER_INFO |
| 2008-05-01 | Name : The remote Fedora host is missing a security update. File : fedora_2008-3358.nasl - Type : ACT_GATHER_INFO |
| 2008-05-01 | Name : The remote Fedora host is missing a security update. File : fedora_2008-3420.nasl - Type : ACT_GATHER_INFO |
| 2008-04-25 | Name : The remote openSUSE host is missing a security update. File : suse_clamav-5199.nasl - Type : ACT_GATHER_INFO |
| 2008-04-25 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_clamav-5200.nasl - Type : ACT_GATHER_INFO |
| 2008-04-22 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1549.nasl - Type : ACT_GATHER_INFO |
| 2008-04-18 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_589d80530b0311ddb4ef00e07dc4ec84.nasl - Type : ACT_GATHER_INFO |
