Multiple vendor ZOO archive decompression denial of service
| multiple-vendor-zoo-dos (34080) |  Low Risk |
Description:
Barracuda Spam Firewall, Panda Software Antivirus, avast! antivirus, Avira AntiVir, zoo, unzoo, WinAce, PicoZip, AMaViS, and multiple unspecified applications that handle ZOO archives are vulnerable to a denial of service, caused by an error in the ZOO compression algorithm implementation. By sending a specially-crafted ZOO archive, a remote attacker could exploit this vulnerability to consume all available system resources or crash the affected system.
Platforms Affected:
- Acubix, PicoZip
- Alwil, avast! prior to 4.7.981
- amavis.org, AMaViS 2.4.1 and prior
- Avira, AntiVir prior to 7.3.0.6
- Barracuda Networks, Barracuda Spam Firewall prior to vd 2.0.6399
- eMerge, WinAce
- linux.maruhn.com, zoo 2.10 and prior
- Open Source, unzoo 4.4
- Panda Software, Panda Antivirus prior to 4/2/2007
Remedy:
For Barracuda Spam Firewall:
Upgrade to the latest virus definition version of Barracuda Spam Firewall (virusdef 2.0.6399 for 3.4 and after or virusdef 2.0.6399o for prior to 3.4), available from the automatic update.
For Panda Software Antivirus:
Upgrade to the latest version of Panda Software Antivirus (4/2/2007 or later), available from the automatic update feature.
For avast! antivirus:
Upgrade to the latest version of Panda Software Antivirus (4.7.981 or later), available from the avast! antivirus Web site. See references.
For Avira AntiVir:
Upgrade to the latest version of Avira AntiVir (avpack32.dll version 7.3.0.6 or later), available from the automatic update feature.
For AMaViS:
Refer to ASA-2007-2 for patch, upgrade, or suggested workaround information. See References.
For other distributions:
Contact your vendor for upgrade or patch information.
Consequences:
Denial of Service
References:
- ASA-2007-2, ZOO archive decompression infinite loop DoS at http://www.amavis.org/security/asa-2007-2.txt.
- avast! antivirus Web site, avast! antivirus updates at http://www.avast.com/eng/updates.html.
- Avira AntiVir Web site, Anti virus for Linux, Windows and more with firewall, antispam, recovery security - Avira AntiVir at http://www.avira.com/en/pages/index.php.
- Barracuda Spam Firewall Web site, Spam Filter / Spam Firewall / Web Filter / Spam Appliance / Load Balancer / Content Filter at http://www.barracudanetworks.com/ns/?L=en.
- BugTraq Mailing List, Fri May 04 2007 - 10:14:45 CDT , Multiple vendors ZOO file decompression infinite loop DoS at http://archives.neohapsis.com/archives/bugtraq/2007-05/0046.html.
- Panda Software Antivirus Web site, Antivirus, anti-spyware, anti-spam, firewall. Protect yourself with Panda at http://www.pandasoftware.com/.
- PicoZip Web site, Zip and UnZip Files Easily - Download WinZip and PKZip compatible software at http://www.picozip.com/.
- unzoo Web site, Tools at http://archives.math.utk.edu/software/multi-platform/gap/util/unzoo.c.
- WinAce Web site, WinAce - your archiving companion at http://www.winace.com/.
- zoo archive Web site, zoo: ZOO archive utilities at http://www.math.utah.edu/pub/zoo/.
- BID-23823: Multiple Vendors Zoo Compression Algorithm Remote Denial of Service Vulnerability
- CVE-2007-1669: zoo decoder 2.10 (zoo-2.10), as used in multiple products including (1) Barracuda Spam Firewall 3.4 and later with virusdef before 2.0.6399, (2) Spam Firewall before 3.4 20070319 with virusdef before 2.0.6399o, and (3) AMaViS 2.4.1 and earlier, allows remote attackers to cause a denial of service (infinite loop) via a ZOO archive with a direntry structure that points to a previous file.
- CVE-2007-1670: Panda Software Antivirus before 20070402 allows remote attackers to cause a denial of service (infinite loop) via a ZOO archive with a direntry structure that points to a previous file.
- CVE-2007-1671: avpack32.dll before 7.3.0.6 in Avira AntiVir allows remote attackers to cause a denial of service (infinite loop) via a ZOO archive with a direntry structure that points to a previous file.
- CVE-2007-1672: avast! antivirus before 4.7.981 allows remote attackers to cause a denial of service (infinite loop) via a ZOO archive with a direntry structure that points to a previous file.
- CVE-2007-1673: unzoo.c, as used in multiple products including AMaViS 2.4.1 and earlier, allows remote attackers to cause a denial of service (infinite loop) via a ZOO archive with a direntry structure that points to a previous file.
- CVE-2007-2535: WinAce allows remote attackers to cause a denial of service (infinite loop) via a ZOO archive with a direntry structure that points to a previous file.
- CVE-2007-2536: PicoZip allows remote attackers to cause a denial of service (infinite loop) via a ZOO archive with a direntry structure that points to a previous file.
- OSVDB ID: 35795: Barracuda Spam Firewall Malformed Zoo Archive DoS
- SA25122: Barracuda Spam Firewall Zoo Denial of Service Vulnerability
- SA25137: avast! Zoo Denial of Service Vulnerability
- SA25140: Avira AntiVir Zoo Denial of Service Vulnerability
- SA25152: Panda AntiVirus Zoo Denial of Service Vulnerability
- SA25315: Amavis Zoo Denial of Service Vulnerability
- VUPEN/ADV-2007-1699: Barracuda Spam Firewall ZOO Archive Handling Denial of Service Vulnerability
- VUPEN/ADV-2007-1700: Panda Antivirus Products ZOO Archive Handling Denial of Service Vulnerability
- VUPEN/ADV-2007-1701: avast! Home/Professional ZOO Archive Processing Denial of Service Vulnerability
- VUPEN/ADV-2007-1702: Avira AntiVir ZOO Archive Processing Client-Side Denial of Service Vulnerability
Reported:
May 04, 2007
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net