F-Secure Anti-Virus ZIP archive bypass scanning

fsecure-zip-scan-bypass (18217) The risk level is classified as MediumMedium Risk

Description:

F-Secure Anti-Virus could allow a remote attacker to bypass antivirus scanning. By creating a specially-crafted ZIP archive that spoofs a zero length, a remote attacker could prevent the scanner from scanning the malicious archive and bypass antivirus protection.

Platforms Affected:

  • Debian, Debian Linux 3.0
  • F-Secure, Anti-Virus 2004
  • F-Secure, Anti-Virus 2005
  • F-Secure, Anti-Virus Client Security 5.55 and prior
  • F-Secure, Anti-Virus for Firewalls 6.20 and prior
  • F-Secure, Anti-Virus for Linux Gateways 4.61 and prior
  • F-Secure, Anti-Virus for Linux Servers 4.61 and prior
  • F-Secure, Anti-Virus for Linux WS 4.52 and prior
  • F-Secure, Anti-Virus for MIMEsweeper 5.50 and prior
  • F-Secure, Anti-Virus for MS Exchange 6.01 and prior
  • F-Secure, Anti-Virus for MS Exchange 6.31 and prior
  • F-Secure, Anti-Virus for Samba Servers 4.60
  • F-Secure, Anti-Virus for Windows Servers 5.42 and prior
  • F-Secure, Anti-Virus for Workstation 5.43 and prior
  • F-Secure, Anti-Virus Linux Client 5.00
  • F-Secure, Anti-Virus Linux Server 5.00
  • F-Secure, Internet Gatekeeper 6.41 and prior
  • F-Secure, Internet Gatekeeper for Linux 2.06
  • F-Secure, Internet Security 2004
  • F-Secure, Internet Security 2005
  • Microsoft, Windows 2003 Server
  • RedHat, Enterprise Linux 2.1 WS
  • RedHat, Enterprise Linux 2.1 AS
  • RedHat, Enterprise Linux 2.1 ES
  • RedHat, Enterprise Linux 3 ES
  • RedHat, Enterprise Linux 3 AS
  • RedHat, Enterprise Linux 3 WS
  • RedHat, Enterprise Linux AS
  • RedHat, Linux 7.3
  • RedHat, Linux 8.0
  • RedHat, Linux 9.0
  • SuSE, Linux Enterprise Server 8
  • SuSE, SuSE Linux 9.0
  • SuSE, SuSE Linux 9.1
  • SuSE, SuSE SLES 9

Remedy:

Apply the appropriate hotfix for your system, as listed in the F-Secure Security Bulletin FSC-2004-3. See References.

Consequences:

Bypass Security

References:

  • CIAC Information Bulletin P-041, F-Secure Zip Archive Bypasses Scanning at http://www.ciac.org/ciac/bulletins/p-041.shtml.
  • F-Secure Security Bulletin FSC-2004-3, ZIP-files with zero size may bypass scanning at http://www.f-secure.com/security/fsc-2004-3.shtml.
  • BID-11732: F-Secure Anti-Virus ZIP Archive Scanner Bypass Vulnerability
  • CVE-2004-2442: Multiple interpretation error in various F-Secure Anti-Virus products, including Workstation 5.43 and earlier, Windows Servers 5.50 and earlier, MIMEsweeper 5.50 and earlier, Anti-Virus for Linux Servers and Gateways 4.61 and earlier, and other products, allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on the target system.
  • SA13263: F-Secure Products Zip Archive Virus Detection Bypass Vulnerability
  • US-CERT VU#968818: Anti-virus software may not properly scan malformed zip archives

Reported:

Nov 23, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page