ISS X-Force Database: clam-antivirus-ensurebits-dos(21204): Clam AntiVirus ENSURE

Clam AntiVirus ENSURE_BITS function denial of service

clam-antivirus-ensurebits-dos (21204)

Low Risk

Description:

Clam AntiVirus is vulnerable to a denial of service attack caused by improper validation of user-supplied input in the ENSURE_BITS() function in the libclamav/mspack/mszipd.c. A remote attacker could send a specially-crafted CAB file with a cffile_FolderOffset set to 0xff to cause the program to enter an infinite loop, resulting in a denial of service.

Platforms Affected:

Clam Anti-Virus, ClamAV 0.83
Clam Anti-Virus, ClamAV prior to 0.86
Debian, Debian Linux 3.1

Remedy:

Upgrade to the latest version of Clam AntiVirus (0.86 or later), available from the ClamAV Download Web page. See References.

For Debian GNU/Linux 3.1 (Sarge):
Upgrade to the latest version of clamav (0.84-2.sarge.1 or later), as listed in DSA-737-1. See Reference.

For Conectiva Linux 9.0 and 10.0:
Upgrade to the latest version of clamav (0.86.1 or later), as listed in Conectiva Linux Security Announcement CLSA-2005:973. See References.

As a workaround, follow the instructions as listed in iDEFENSE Security Advisory 06.29.05. See References.

Consequences:

Denial of Service

References:

ClamAV Download Web page, clamav 0.86.1 released at http://www.clamav.net/stable.php#pagestart.
Conectiva Linux Security Announcement CLSA-2005:973, Fixes for two security vulnerabilities in clamav at http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000973.
iDEFENSE Security Advisory 06.29.05, Clam AntiVirus ClamAV Cabinet File Handling DoS Vulnerability at http://www.idefense.com/application/poi/display?id=275&type=vulnerabilities&flashstatus=true.
BID-14089: Clam Anti-Virus ClamAV Cabinet File Parsing Remote Denial Of Service Vulnerability
BID-14090: Clam Anti-Virus ClamAV MS-Expand File Parsing Remote Denial Of Service Vulnerability
CVE-2005-1923: The ENSURE_BITS macro in mszipd.c for Clam AntiVirus (ClamAV) 0.83, and other versions vefore 0.86, allows remote attackers to cause a denial of service (CPU consumption by infinite loop) via a cabinet (CAB) file with the cffile_FolderOffset field set to 0xff, which causes a zero-length read.
DSA-737: clamav -- remote denial of service

Reported:

Jun 29, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page