F-Secure Anti-Virus ZIP archive bypass scanning

fsecure-zip-scan-bypass (18217) The risk level is classified as MediumMedium Risk

Description:

F-Secure Anti-Virus could allow a remote attacker to bypass antivirus scanning. By creating a specially-crafted ZIP archive that spoofs a zero length, a remote attacker could prevent the scanner from scanning the malicious archive and bypass antivirus protection.


Consequences:

Bypass Security

Remedy:

Apply the appropriate hotfix for your system, as listed in the F-Secure Security Bulletin FSC-2004-3. See References.

References:

  • CIAC Information Bulletin P-041: F-Secure Zip Archive Bypasses Scanning.
  • F-Secure Security Bulletin FSC-2004-3: ZIP-files with zero size may bypass scanning.
  • BID-11732: F-Secure Anti-Virus ZIP Archive Scanner Bypass Vulnerability
  • CVE-2004-2442: Multiple interpretation error in various F-Secure Anti-Virus products, including Workstation 5.43 and earlier, Windows Servers 5.50 and earlier, MIMEsweeper 5.50 and earlier, Anti-Virus for Linux Servers and Gateways 4.61 and earlier, and other products, allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on the target system.
  • SA13263: F-Secure Products Zip Archive Virus Detection Bypass Vulnerability
  • US-CERT VU#968818: Anti-virus software may not properly scan malformed zip archives

Platforms Affected:

  • Debian Debian Linux 3.0
  • F-Secure Anti-Virus 2004
  • F-Secure Anti-Virus 2005
  • F-Secure Anti-Virus Client Security 5.55 and prior
  • F-Secure Anti-Virus for Firewalls 6.20 and prior
  • F-Secure Anti-Virus for Linux Gateways 4.61 and prior
  • F-Secure Anti-Virus for Linux Servers 4.61 and prior
  • F-Secure Anti-Virus for Linux WS 4.52 and prior
  • F-Secure Anti-Virus for MIMEsweeper 5.50 and prior
  • F-Secure Anti-Virus for MS Exchange 6.01 and prior
  • F-Secure Anti-Virus for MS Exchange 6.31 and prior
  • F-Secure Anti-Virus for Samba Servers 4.60
  • F-Secure Anti-Virus for Windows Servers 5.42 and prior
  • F-Secure Anti-Virus for Workstation 5.43
  • F-Secure Anti-Virus Linux Client 5.00
  • F-Secure Anti-Virus Linux Server 5.00
  • F-Secure Internet Gatekeeper 6.41
  • F-Secure Internet Gatekeeper for Linux 2.06
  • F-Secure Internet Security 2004
  • F-Secure Internet Security 2005
  • Microsoft Windows 2003 Server
  • RedHat Enterprise Linux 2.1 WS
  • RedHat Enterprise Linux 2.1 AS
  • RedHat Enterprise Linux 2.1 ES
  • RedHat Enterprise Linux 3 ES
  • RedHat Enterprise Linux 3 AS
  • RedHat Enterprise Linux 3 WS
  • RedHat Enterprise Linux AS
  • RedHat Linux 7.3
  • RedHat Linux 8.0
  • RedHat Linux 9.0
  • SuSE Linux Enterprise Server 8
  • SUSE SuSE Linux 9.0
  • SUSE SuSE Linux 9.1
  • SuSE SuSE SLES 9

Reported:

Nov 23, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page