SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#361180

McAfee Scan Engine vulnerable to buffer overflow in LHA decoder

Overview

A buffer overflow vulnerability in the McAfee Virus Scan Engine may allow a remote attacker to execute arbitrary code on an affected system. Because the vulnerability exists in a core component, a number of different McAfee products are affected.

I. Description

The McAfee Antivirus products feature the ability to detect malicious code in a number of compressed files, including those in the LHA format. A buffer overflow error has been discovered in the way that the McAfee Scan Engine handles the "type 2" headers in an LHA file. A remote attacker with the ability to craft a specifically malfomed LHA file may be able to exploit this vulnerability by introducing the malformed LHA file to an affected system via a web or FTP server, email message, or file server.

McAfee lists the following products as being potentially vulnerable to this issue, depending on the version of the scan engine they use:

  • McAfee InternetSecurity Suite
  • VirusScan (all versions)
  • VirusScan Professional
  • Active Mail Protection
  • Active Threat Protection
  • Active Virus Defense SMB Edition
  • Active VirusScan SMB Edition
  • GroupShield for Exchange
  • GroupShield for Exchange 5.5
  • GroupShield for Lotus Domino
  • GroupShield for Mail Servers with ePO
  • LinuxShield
  • Managed VirusScan
  • NetShield for Netware
  • PortalShield for Microsoft SharePoint
  • SecurityShield for Microsoft ISA Server
  • Virex
  • VirusScan ASaP
  • VirusScan Command Line
  • VirusScan Enterprise 8.0i
  • VirusScan for NetApp
  • WebShield Appliances
  • WebShield SMTP

II. Impact

An unauthenticated remote attacker may be able to execute code of their choosing on a vulnerable system. The attacker-supplied code would be run with Local System privileges, resulting in a complete system compromise.

III. Solution

Apply an update from the vendor


McAfee has published updated versions of the Scan Engine (version 4400 - released November 2004) and DAT file (version 4436 - released March 1, 2005) to address this vulnerability. Users are encouraged to review the McAfee FAQ and McAfee advisory on this issue and update their products accordingly.

Systems Affected

VendorStatusDate NotifiedDate Updated
McAfeeVulnerable21-Mar-2005

References


http://xforce.iss.net/xforce/alerts/id/190
http://secunia.com/advisories/14628/
http://www.securityfocus.com/bid/12832
http://www.securitytracker.com/alerts/2005/Mar/1013463.html

Credit

The CERT/CC credits Alex Wheeler of the ISS X-Force with the discovery of this vulnerability.

This document was written by Chad R Dougherty based upon information provided by McAfee and ISS.

Other Information

Date Public:2005-03-18
Date First Published:2005-03-18
Date Last Updated:2005-03-21
CERT Advisory: 
CVE-ID(s):CAN-2005-0644
NVD-ID(s):CAN-2005-0644
US-CERT Technical Alerts: 
Metric:22.32
Document Revision:6

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2005 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader