Vulnerability Note VU#849841

Autonomy Keyview IDOL contains multiple vulnerabilities in file parsers

Original Release date: 20 Nov 2012 | Last revised: 28 Jan 2014

Overview

Autonomy Keyview IDOL contains multiple vulnerabilities in file parsers. These vulnerabilities could allow a remote attacker to execute arbitrary code on an affected system.

Description

Autonomy Keyview IDOL is a set of libraries that can decode over 1,000 different file formats. The Autonomy Keyview IDOL libraries are used by a variety of applications, including IBM Lotus Notes, Lotus Domino, Symantec Mail Security, RSA DLP, VMware Zimbra, Hyland OnBase, and many others. These vulnerabilities result from a number of underlying issues. Some of these cases demonstrated memory corruption with attacker-controlled input and could be exploited to run arbitrary code.

Impact

By causing an application to process a specially-crafted file with the Autonomy Keyview IDOL library, a remote, unauthenticated attacker may be able to cause an affected application to crash, resulting in a denial of service, or executing arbitrary code with the privileges of the vulnerable application. Depending on what application is using Keyview IDOL, these may happen as the result of some user interaction, such as single-clicking on a file, or it may happen with no user interaction at all. Privileges that the code would execute with depend on the application in question. For example, an attacker that exploits Symantec Mail Security or IBM Lotus Domino would be able to achieve code execution with SYSTEM privileges.

Solution

Apply an update

This issue is addressed in Autonomy Keyview IDOL 10.16. Please see your vendor for relevant product updates that include this version of Keyview.

Use the Microsoft Enhanced Mitigation Experience Toolkit

The Microsoft Enhanced Mitigation Experience Toolkit (EMET) can be used to help prevent exploitation of this vulnerability. CERT/CC has created a video tutorial for setting up EMET 3.0 on Windows 7. Note that platforms that do not support ASLR, such as Windows XP and Windows Server 2003, will not receive the same level of protection that modern Windows platforms will.

Enable DEP in Microsoft Windows

Consider enabling Data Execution Prevention (DEP) in supported versions of Windows. DEP should not be treated as a complete workaround, but it can mitigate the execution of attacker-supplied code in some cases. Microsoft has published detailed technical information about DEP in Security Research & Defense blog posts "Understanding DEP as a mitigation technology" part 1 and part 2. DEP should be used in conjunction with the application of patches or other mitigations described in this document.

Note that when relying on DEP for exploit mitigation, it is important to use a system that supports Address Space Layout Randomization (ASLR) as well. ASLR is not supported by Windows XP or Windows Server 2003 or earlier. ASLR was introduced with Microsoft Windows Vista and Windows Server 2008. Please see the Microsoft SRD blog entry: On the effectiveness of DEP and ASLR for more details.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
AutonomyAffected-04 Jun 2012
CA TechnologiesAffected29 Mar 201205 Nov 2012
Cisco Systems, Inc.Affected29 Mar 201205 Nov 2012
EMC CorporationAffected29 Mar 201205 Nov 2012
Hewlett-Packard CompanyAffected05 Mar 201205 Nov 2012
Hyland SoftwareAffected29 Mar 201204 Jun 2012
IBM CorporationAffected21 Nov 201224 Mar 2013
Lotus SoftwareAffected29 Mar 201224 Mar 2013
McAfeeAffected29 Mar 201205 Nov 2012
Nuance Communications, Inc.Affected-28 Nov 2012
Oracle CorporationAffected-28 Nov 2012
Palisade SystemsAffected22 May 201222 May 2012
ProofpointAffected22 May 201205 Nov 2012
SymantecAffected29 Mar 201228 Jan 2014
Trend MicroAffected22 May 201205 Nov 2012
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 8.7 E:ND/RL:OF/RC:C
Environmental 8.7 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Credit

This vulnerability was reported by Will Dormann of the CERT/CC.

This document was written by Will Dormann.

Other Information

  • CVE IDs: CVE-2012-6277
  • Date Public: 20 Nov 2012
  • Date First Published: 20 Nov 2012
  • Date Last Updated: 28 Jan 2014
  • Document Revision: 40

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.