Go Back  DVD Talk Forum > General Discussions > Tech Talk
Reload this Page >

Major vulnerability in McAfee VirusScan

Tech Talk Discuss PC Hardware, Software, Internet and Other Technology

Major vulnerability in McAfee VirusScan

Old 03-18-05, 02:20 AM
  #1  
DVD Talk Hero
Thread Starter
 
jfoobar's Avatar
 
Join Date: Jun 2000
Posts: 37,874
Likes: 0
Received 2 Likes on 2 Posts
Major vulnerability in McAfee VirusScan

http://xforce.iss.net/xforce/alerts/id/190

Internet Security Systems Protection Advisory
March 17, 2005

McAfee AntiVirus Library Stack Overflow

Summary:

ISS has shipped protection for a flaw X-Force has discovered in McAfee
AntiVirus Library versions prior to 4400. The McAfee AntiVirus Library
is widely relied upon to provide antivirus capabilities to desktop,
server, and gateway systems. Also, several large vendors and ISP's
implement McAfee's AntiVirus Library in their products. By crafting an
LHA file, an attacker is able to trigger a stack overflow within the
process importing the McAfee AntiVirus Library.

Business Impact:

Compromise of antivirus protected networks and machines may lead to exposure
of confidential information, loss of productivity, and further network
compromise. Successful exploitation of this vulnerability could be used to
gain unauthorized access to networks and machines being protected by McAfee
AntiVirus Library product. Implementations of McAfee AntiVirus Library are
likely vulnerable through common protocols, e.g. SMTP, HTTP, FTP, SMB. No
authentication is required for an attacker to leverage this vulnerability
to compromise a antivirus protected network or machine. It is likely McAfee
AntiVirus Library implementations are vulnerable in their default
configurations.

Affected Products:

Active Virus Defense
Active VirusScan
Active Virus Defense SMB Edition
Active VirusScan SMB Edition
Active Threat Protection
Active Mail Protection
GroupShield for Exchange
GroupShield for Exchange 5.5
GroupShield for Lotus Domino
GroupShield for Mail Servers with ePO
LinuxShield
NetShield for Netware
PortalShield for Microsoft SharePoint
SecurityShield for Microsoft ISA Server
Virex
VirusScan (all versions)
VirusScan Professional
VirusScan ASaP/Managed VirusScan
VirusScan Command Line
VirusScan for NetApp
VirusScan(r) Enterprise(all versions)
WebShield Appliances
WebShield SMTP

Note: Additional versions may be affected, please contact your vendor for
confirmation. In addition, several ISPs and vendors also use McAfee
AntiVirus Library and are likely vulnerable.

Description:

McAfee Antivirus Library is used to parse different file formats to detect
malware. One of the modules in McAfee Antivirus Library parses the LHA
file format. Before LHA decompression, the library does not properly check
the length of type 2 header file name fields. The LHA engine ensures the
header field is no longer than 0x167 bytes, but has only allocated 0x130
bytes of stack space when the copy takes place. In order to trigger the
overflow, the LHA file must be malformed, and conform to another
non-archive file format. By sending this malformed and dual format file,
an attacker can execute arbitrary code in SYSTEM context across platforms
in a reliable manner.

This vulnerability can be triggered by an unauthenticated remote attacker,
without user interaction, by sending an e-mail containing a crafted LHA
file to the target McAfee AntiVirus Library on client, server, and gateway
implementations. Additional attack vectors exist over other common
protocols (e.g. HTTP, FTP, POP3, SMB), but some may require user interaction.
Upgrade those libs to 4400.
Old 03-18-05, 02:57 AM
  #2  
DVD Talk Hero
 
Join Date: Aug 2000
Location: Bartertown due to it having a better economy than where I really live, Buffalo NY
Posts: 29,706
Likes: 0
Received 0 Likes on 0 Posts
are the libs what mcafee calls a dat file?
if so the dat is up to 4448 which means 4400 is pretty old and should easily be out of use on any product that's updated even semi regularly
Old 03-18-05, 11:26 AM
  #3  
DVD Talk Hall of Fame
 
Join Date: Mar 2001
Location: Atlanta
Posts: 7,935
Likes: 0
Received 0 Likes on 0 Posts
I have a question about McAfee. Just got a Dell and it is preinstalled. I plan on uninstalling it. Looks like I'll have to make some registry changes per the McAfee website. I plan on hooking up DSL service over the weekend and was wondering if I would further inconvenience myself even trying to configure it with my net needs. Why would I bother? Cause it's free for a couple of months and I can focus on some other things I want to do online before jumping into d'loading Zone Alarm and going through the hassle of getting McAfee off my computer.

I have a newer version than 4.x, but maybe I should not even waste a second with this stuff.
Old 03-20-05, 11:32 PM
  #4  
DVD Talk Hero
Thread Starter
 
jfoobar's Avatar
 
Join Date: Jun 2000
Posts: 37,874
Likes: 0
Received 2 Likes on 2 Posts
Originally Posted by mikehunt
are the libs what mcafee calls a dat file?
if so the dat is up to 4448 which means 4400 is pretty old and should easily be out of use on any product that's updated even semi regularly
Sorry, just gettting around to looking at this thread again.

Libs equate with the environment (scan engine), not with DAT files. You are vulnerable if your engine version is 4320 (the version released prior to 4440) or, as it turns out, your DATs are older than 4436 (3/1/05). Either of those fixes the problem. Just to be safe, I would recommend 4320 users update their engine to 4440, just to be safe.
Old 03-21-05, 07:25 AM
  #5  
DVD Talk Legend
 
AGuyNamedMike's Avatar
 
Join Date: Jul 2000
Location: (formerly known as Inglenook Hampendick) Fairbanks, Alaska!
Posts: 15,287
Likes: 0
Received 1 Like on 1 Post
Strange that they didn't mention McAfee released the 4400 engine last November, use McAfee's nomenclature for the damn_thing, or even provide a direct link to the download area. I award the technical writer responsible for this alert a C minus.
Old 03-21-05, 06:40 PM
  #6  
DVD Talk Hero
 
Join Date: Aug 2000
Location: Bartertown due to it having a better economy than where I really live, Buffalo NY
Posts: 29,706
Likes: 0
Received 0 Likes on 0 Posts
Originally Posted by AGuyNamedMike
Strange that they didn't mention McAfee released the 4400 engine last November, use McAfee's nomenclature for the damn_thing, or even provide a direct link to the download area. I award the technical writer responsible for this alert a C minus.
C- is too high

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Thread Tools
Search this Thread

Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service - Do Not Sell My Personal Information

Copyright 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.