FreeBSD : clamav -- ClamAV libclamav PE File Integer Overflow Vulnerability (be4b0529-dbaf-11dc-9791-000ea6702141)

This script is Copyright (C) 2008-2013 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

iDefense Security Advisory 02.12.08 :

Remote exploitation of an integer overflow vulnerability in Clam
AntiVirus' ClamAV, as included in various vendors' operating system
distributions, allows attackers to execute arbitrary code with the
privileges of the affected process.

The vulnerability exists within the code responsible for parsing and
scanning PE files. While iterating through all sections contained in
the PE file, several attacker controlled values are extracted from the
file. On each iteration, arithmetic operations are performed without
taking into consideration 32-bit integer wrap.

Since insufficient integer overflow checks are present, an attacker
can cause a heap overflow by causing a specially crafted Petite packed
PE binary to be scanned. This results in an exploitable memory
corruption condition.

Exploitation of this vulnerability results in the execution of
arbitrary code with the privileges of the process using libclamav. In
the case of the clamd program, this will result in code execution with
the privileges of the clamav user. Unsuccessful exploitation results
in the clamd process crashing. Workaround Disabling the scanning of PE
files will prevent exploitation.

If using clamscan, this can be done by running clamscan with the
'--no-pe' option.

If using clamdscan, set the 'ScanPE' option in the clamd.conf file to
'no'.

See also :

http://www.nessus.org/u?ccc9155a
http://www.nessus.org/u?91209430
http://www.nessus.org/u?c6808c16

Solution :

Update the affected package.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 31109 (freebsd_pkg_be4b0529dbaf11dc9791000ea6702141.nasl)

Bugtraq ID:

CVE ID: CVE-2008-0318

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now