Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-130: F-PROT Products CAB File Scan Evasion Vulnerability

May 12, 2009 16:00 GMT
PROBLEM: Multiple F-Prot products are prone to a vulnerability that may allow certain compressed archives to bypass the scan engine.
PLATFORM: Frisk Software F-PROT Milter 0 Frisk Software F-PROT AVES 0 Frisk Software F-PROT Antivirus for Windows on Mail Servers 0 Frisk Software F-Prot Antivirus for Windows Frisk Software F-PROT Antivirus for Solaris Mail Servers 0 Frisk Software F-Prot Antivirus for Linux x86 Workstations 0 Frisk Software F-PROT Antivirus for Linux x86 Mail Servers 0 Frisk Software F-PROT Antivirus for Linux x86 File Servers 0 Frisk Software F-PROT Antivirus for Linux on IBM zSeries 0 Frisk Software F-Prot Antivirus for Exchange
ABSTRACT: The parsing engine can be bypassed by a specially crafted and formatted CAB (Filesize) archive.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-130.shtml
  OTHER LINKS: Security Focus
http://www.securityfocus.com/bid/34896/info
F-Prot Advisory
http://blog.zoller.lu/2009/04/advisory-f-prot-frisk-cab-bypass.html
Impact Assessment This risk is medium. Successful exploits will allow attackers to distribute files containing malicious code that the antivirus application will fail to detect. 
Problem:
Multiple F-Prot products are prone to a vulnerability that may allow certain compressed archives to bypass the scan engine. 

Platform:
Frisk Software F-PROT Milter 0
Frisk Software F-PROT AVES 0
Frisk Software F-PROT Antivirus for Windows on Mail Servers 0
Frisk Software F-Prot Antivirus for Windows 
Frisk Software F-PROT Antivirus for Solaris Mail Servers 0
Frisk Software F-Prot Antivirus for Linux x86 Workstations 0
Frisk Software F-PROT Antivirus for Linux x86 Mail Servers 0
Frisk Software F-PROT Antivirus for Linux x86 File Servers 0
Frisk Software F-PROT Antivirus for Linux on IBM zSeries 0
Frisk Software F-Prot Antivirus for Exchange 

Abstract:
Multiple F-Secure products are prone to a vulnerability that may allow certain compressed archives to bypass the scan engine. 

References:
Security Focus
http://www.securityfocus.com/bid/34896/info
F-Prot Advisory
http://blog.zoller.lu/2009/04/advisory-f-prot-frisk-cab-bypass.html
DOE-CIRC wishes to acknowledge the contributions of Thierry Zoller for the information contained in this bulletin.
DOECIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788