Multiple vendor antivirus/IDS devices bypass detection
| antivirus-detection-bypass (18882) |  Medium Risk |
Description:
Multiple vendor antivirus scanners and IDS devices including: Check Point Firewall-1 NG, IronPort AsyncOS with Sophos AV, UnityOne IPS, McAfee Webshield, TrendMicro InterScan, and Proventia could allow a remote attacker to bypass scan detection measures. These devices provide weak support for the standard specified in RFC2397. A remote attacker could send a malicious base64 encoded image in an HTML file to bypass detection and compromise a vulnerable system.
Consequences:
Bypass Security
Remedy:
Upgrade to the latest XPU, as listed below, available from the Internet Security Systems Web site. See References.
Proventia A Series, XPU 23.2
Proventia G Series, XPU 23.2
Proventia M Series, XPU 1.39
References:
- Internet Security Systems Web site: Download Center.
- IronPort Web site: IronPort Products.
- BID-12269: Multiple Vendor Anti-Virus Gateway Failure To Decode Base64 Encoded Image Weakness
Platforms Affected:
- 3Com TippingPoint UnityOne IPS
- CheckPoint FireWall-1 R55 HFA08
- IBM ISS Proventia Network IDS
- IBM ISS Proventia Network MFS
- IBM ISS Proventia-G 1.1 and earlier
- IronPort AsyncOS
- McAfee WebShield 3000 4.3.20
- Sophos Sophos Anti-Virus 3.88
- Trend Micro InterScan Messaging Security 3.1 Build 1027
- Trend Micro InterScan WebProtect 3.1 Build 1027
Reported:
Jan 11, 2005
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net