Clam AntiVirus cli_scanszdd function denial of service
| clam-antivirus-cliscanszdd-dos (21206) |  Low Risk |
Description:
Clam AntiVirus is vulnerable to a denial of service attack caused by a vulnerability in the cli_scanszdd() function in the libclamav/scanners.c. A remote attacker could send a malicious file as an email attachment or directly to a current HTTP session which, once the file is processed, would consume the available file descriptors pool and memory causing the anti-virus system to crash.
Platforms Affected:
- Clam Anti-Virus, ClamAV 0.83
- Clam Anti-Virus, ClamAV prior to 0.86
- Debian, Debian Linux 3.1
- SuSE, Linux Enterprise Server 9
- SuSE, SuSE Linux 9.1
- SuSE, SuSE Linux 9.2
- SuSE, SuSE Linux 9.3
Remedy:
Upgrade to the latest version of Clam AntiVirus (0.86 or later), available from the ClamAV Download Web page. See References.
For Mandrake/Linux:
Upgrade to the latest version of clamav (0.81-0.3.101 or later), as listed in Madriva Security Update MDKSA-2005:113. See References.
For Debian GNU/Linux 3.1 (Sarge):
Upgrade to the latest version of clamav (0.84-2.sarge.1 or later), as listed in DSA-737-1. See Reference
As a workaround, follow the instructions as listed in the iDEFENSE Security Advisory 06.29.05. See References.
For SUSE Linux:
Upgrade to the latest Clamav listed below. Refer to SUSE Security Announcement SUSE-SA:2005:038 for more information. See References.
x86 and x86-64 Platforms:
SUSE Linux 9.3 and 9.2: 86.1-0.1 or later
SUSE Linux 9.1: 86.1-0.2 or later
For Conectiva Linux 9.0 and 10.0:
Upgrade to the latest version of clamav (0.86.1 or later), as listed in Conectiva Linux Security Announcement CLSA-2005:973. See References.
For Gentoo Linux:
Refer to Gentoo Linux Security Announcement GLSA 2005-06-23 for patch, upgrade, or suggested workaround information. See References.
For other distributions:
Contact your vendor for upgrade or patch information.
Consequences:
Denial of Service
References:
- ClamAV Download Web page, clamav 0.86.1 released at http://www.clamav.net/stable.php#pagestart.
- Conectiva Linux Security Announcement CLSA-2005:973, Fixes for two security vulnerabilities in clamav at http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000973.
- iDEFENSE Security Advisory 06.29.05, Clam AntiVirus ClamAV MS-Expand File Handling DoS Vulnerability at http://www.idefense.com/application/poi/display?id=276&type=vulnerabilities.
- SourceForge.net, Project: Clam AntiVirus: Release Notes at http://sourceforge.net/project/shownotes.php?release_id=337279.
- BID-14058: Clam Anti-Virus ClamAV Unspecified Quantum Decompressor Denial Of Service Vulnerability
- BID-14089: Clam Anti-Virus ClamAV Cabinet File Parsing Remote Denial Of Service Vulnerability
- BID-14090: Clam Anti-Virus ClamAV MS-Expand File Parsing Remote Denial Of Service Vulnerability
- CVE-2005-1922: The MS-Expand file handling in Clam AntiVirus (ClamAV) before 0.86 allows remote attackers to cause a denial of service (file descriptor and memory consumption) via a crafted file that causes repeated errors in the cli_msexpand function.
- CVE-2005-2056: The Quantum archive decompressor in Clam AntiVirus (ClamAV) before 0.86.1 allows remote attackers to cause a denial of service (application crash) via a crafted Quantum archive.
- DSA-737: clamav -- remote denial of service
- GLSA-200506-23: Clam AntiVirus: Denial of Service vulnerability
- SA15811: ClamAV Quantum Decompressor Denial of Service Vulnerability
- SUSE-SA:2005:038: clamav: multiple security and other bugfixes
Reported:
Jun 29, 2005
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net