The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of NETASQ Firewall

vulnerability alert CVE-2007-3725

ClamAV, unrar: denial of service

Synthesis of the vulnerability

An attacker can create a malicious RAR archive in order to stop ClamAV or unrar.
Impacted products: ClamAV, Debian, Mandriva Corporate, Mandriva Linux, NETASQ, NLD, OES, openSUSE, SLES, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Creation date: 11/07/2007.
Identifiers: BID-24866, CERTA-2002-AVI-136, CERTA-2007-AVI-306, CVE-2007-3725, DSA-1340-1, MDKSA-2007:150, SUSE-SR:2007:015, VIGILANCE-VUL-6991.

Description of the vulnerability

The ClamAV antivirus and the unrar tool share the same vulnerability.

The execute_standard_filter() function of unrarvm.c does not check if one of the sizes indicated in the RAR file is too small. This error forces ClamAV to read data at an invalid address, which leads to a segmentation error.

An attacker can therefore create a malicious RAR archive in order to stop ClamAV or unrar.
Complete Vigil@nce bulletin.... (free trial)

computer vulnerability CVE-2007-2650 CVE-2007-3023 CVE-2007-3024

ClamAV: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of ClamAV lead to denials of service or to code execution.
Impacted products: ClamAV, Debian, Fedora, Mandriva Corporate, Mandriva Linux, NETASQ, openSUSE.
Severity: 3/4.
Creation date: 31/05/2007.
Identifiers: BID-24289, BID-24316, BID-24358, CVE-2007-2650, CVE-2007-3023, CVE-2007-3024, CVE-2007-3025, CVE-2007-3122, CVE-2007-3123, DSA-1320-1, FEDORA-2007-1154, MDKSA-2007:115, SUSE-SA:2007:033, VIGILANCE-VUL-6855.

Description of the vulnerability

Several vulnerabilities of ClamAV lead to denials of service or to code execution.

The %v parameter is not correctly checked in fresclam/manager.c. [severity:3/4]

Malicious RAR headers are not correctly handled in libclamav/unrar/unrar.c. [severity:3/4; BID-24289, CVE-2007-3122]

Size of data is not correctly computed in libclamav/unsp.c. [severity:3/4; CVE-2007-3023]

Permissions of temporary files created by cli_gentempstream() are not sufficiently strict. [severity:3/4; CVE-2007-3024]

A malicious OLE file can generate an infinite loop in libclamav/ole2_extract.c. [severity:3/4; BID-24316, CVE-2007-2650]

An unknown vulnerability affects libclamav/phishcheck.c. [severity:3/4; CVE-2007-3025]

An unknown vulnerability affects libclamav/unrar/unrar.c. [severity:3/4; CVE-2007-3123]

An unknown vulnerability affects libclamav/pdf.c. [severity:3/4]
Complete Vigil@nce bulletin.... (free trial)

vulnerability CVE-2007-1745 CVE-2007-1997 CVE-2007-2029

ClamAV: vulnerabilities of CHM, CAB and PDF

Synthesis of the vulnerability

An attacker can create CHM, CAB and PDF files leading to denials of service or to code execution on ClamAV.
Impacted products: ClamAV, Debian, Mandriva Corporate, Mandriva Linux, NETASQ, openSUSE.
Severity: 3/4.
Creation date: 13/04/2007.
Revision date: 17/04/2007.
Identifiers: BID-23473, BID-23656, CERTA-2002-AVI-088, CVE-2007-1745, CVE-2007-1997, CVE-2007-2029, DSA-1281-1, DSA-1281-2, MDKSA-2007:098, SUSE-SA:2007:026, VIGILANCE-VUL-6740.

Description of the vulnerability

Three vulnerabilities were announced in ClamAV antivirus.

When an error occurs during the analysis of a CHM file, the chm_decompress_stream() function of libclamav/chmunpack.c does not lock the temporary file containing the binary. [severity:3/4; CVE-2007-1745]

A malicious CAB archive can generate an integer overflow in cab_unstore() function of libclamav/cab.c, leading to code execution. [severity:3/4; CVE-2007-1997]

The PDF format is composed of a series of objects (pages, fonts, catalog, etc.), which can be compressed with zlib. The cli_pdf() function of libclamav/pdf.c stores compressed data in a temporary file, to uncompress them. However, if size of compressed data is null, the temporary file descriptor is not closed. [severity:3/4; BID-23656, CVE-2007-2029]
Complete Vigil@nce bulletin.... (free trial)

vulnerability alert CVE-2006-1614 CVE-2006-1615 CVE-2006-1630

ClamAV: several vulnerabilities

Synthesis of the vulnerability

An attacker can generate several errors in ClamAV leading to code execution or to a denial of service.
Impacted products: ClamAV, Debian, Mandriva Corporate, Mandriva Linux, NETASQ, openSUSE.
Severity: 2/4.
Creation date: 06/04/2006.
Revision date: 10/04/2006.
Identifiers: BID-17388, CERTA-2002-AVI-009, CERTA-2006-AVI-140, CVE-2006-1614, CVE-2006-1615, CVE-2006-1630, DSA-1024-1, MDKSA-2006:067, SUSE-SA:2006:020, VIGILANCE-VUL-5741.

Description of the vulnerability

The ClamAV antivirus has 3 vulnerabilities.

An integer overflow occurs during a PE header analyze, when ArchiveMaxFileSize option is deactivated (CVE-2006-1614).

Several format string attacks can occur in logging code (CVE-2006-1615).

A memory access error in cli_bitset_set() function stops service (CVE-2006-1630).
Complete Vigil@nce bulletin.... (free trial)

vulnerability note 5734

NetASQ: denial of service of ARP

Synthesis of the vulnerability

An attacker can generate a memory leak during transparent VLAN usage.
Impacted products: NETASQ.
Severity: 1/4.
Creation date: 03/04/2006.
Identifiers: na_rn_6151_001_fr, VIGILANCE-VUL-5734.

Description of the vulnerability

The NETASQ firewall supports transparent VLAN.

When an ARP packet is received on a transparent VLAN, memory is allocated but never freed.

A network attacker can therefore progressively saturate memory.
Complete Vigil@nce bulletin.... (free trial)

vulnerability alert CVE-2006-0162

ClamAV: buffer overflow of UPX

Synthesis of the vulnerability

An attacker can create a malicious UPX program in order to run code on ClamAV.
Impacted products: ClamAV, Debian, Mandriva Corporate, Mandriva Linux, NETASQ, OpenBSD.
Severity: 2/4.
Creation date: 10/01/2006.
Revision date: 13/01/2006.
Identifiers: BID-16191, CERTA-2006-AVI-012, CVE-2006-0162, DSA-947-1, DSA-947-2, MDKSA-2006:016, OPSA_20060114, VIGILANCE-VUL-5501, VU#385908, ZDI-06-001.

Description of the vulnerability

Programs can be packed in order to shrink their size and make their analyze more complex. ClamAV supports UPX packer (Ultimate Packer for eXecutables).

A program compacted with UPX can lead to a buffer overflow in libclamav/upx.c.

An attacker can therefore send a compacted program in order to run code or to conduct a denial of service.
Complete Vigil@nce bulletin.... (free trial)

computer vulnerability 5435

Netasq: denials of service

Synthesis of the vulnerability

An attacker can send HTTP or UDP data to stop the system.
Impacted products: NETASQ.
Severity: 2/4.
Creation date: 19/12/2005.
Identifiers: na_rn_6132_001, VIGILANCE-VUL-5435.

Description of the vulnerability

An attacker can conduct two independent denials of service.

The first is related to ASQ, when "Tunneling possible utilisant la méthode connect" is configured to "passer". In this case, an HTTP packet using CONNECT method stops system.

The second one is related to IPSec VPN, and to NAT-T (NAT Traversal). In this case, a fragmented UDP packet stops system.
Complete Vigil@nce bulletin.... (free trial)

vulnerability announce CVE-2005-3666 CVE-2005-3667 CVE-2005-3668

IPSec: vulnerabilities of some ISAKMP protocol implementations

Synthesis of the vulnerability

Several implementations of ISAKMP protocol are affected by the same vulnerabilities.
Impacted products: FW-1, VPN-1, ASA, Cisco Catalyst, IOS Cisco, Cisco Router, Cisco VPN Concentrator, Debian, Fedora, Tru64 UNIX, HP-UX, Juniper E-Series, Juniper J-Series, JUNOS, JUNOSe, Mandriva Linux, NETASQ, NetBSD, openSUSE, Openswan, Solaris, RHEL, ProPack, SEF, SGS, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Creation date: 14/11/2005.
Revision date: 22/11/2005.
Identifiers: 102040, 102246, 10310, 20060501-01-U, 273756, 273756/NISCC/ISAKMP, 6317027, 6348585, 68158, BID-15401, BID-15402, BID-15416, BID-15420, BID-15474, BID-15479, BID-15516, BID-15523, BID-17030, BID-17902, c00602119, CERTA-2005-AVI-458, CERTA-2005-AVI-504, CQ/68020, CSCed94829, CSCei14171, CSCei15053, CSCei19275, CSCei46258, CSCsb15296, CVE-2005-3666, CVE-2005-3667, CVE-2005-3668, CVE-2005-3669, CVE-2005-3670, CVE-2005-3671, CVE-2005-3672, CVE-2005-3673, CVE-2005-3674, CVE-2005-3675, CVE-2005-3732, CVE-2005-3733, CVE-2005-3768, CVE-2006-2298, DSA-965-1, FEDORA-2005-1092, FEDORA-2005-1093, FLSA:190941, FLSA-2006:190941, HPSBTU02100, HPSBUX02076, MDKSA-2006:020, NetBSD-SA2006-003, NISCC/ISAKMP/273756, PR/61076, PR/61779, PSN-2005-11-007, RHSA-2006:026, RHSA-2006:0267-01, SEF8.0-20051114-00, sk31316, SSRT050979, SUSE-SA:2005:070, SYM05-025, VIGILANCE-VUL-5352, VU#226364.

Description of the vulnerability

The IPSec protocol is used to create VPN. To create an IPSec tunnel, SA (Security Associations: algorithm, key size, etc.) has to be shared between both ends. The SA can be set by administrator, or automatically exchanged. In this later case, IKE protocol (Internet Key Exchange) is used. IKE is based on ISAKMP (and Oakley/Skeme). The ISAKMP protocol (Internet Security Association and Key Management Protocol) defines a generic frame (format and mechanism). ISAKMP uses two phases: setup a secure connection (phase1, main mode or aggressive mode), then this connection is used to exchange one or several SA (phase 2, quick mode). The aggressive mode uses less packets than main mode, and is therefore not recommended.

Several products incorrectly implement phase 1 of ISAKMP/IKEv1 protocol. They contain buffer overflow, format string or denial of service vulnerabilities.

Depending on products, these vulnerabilities lead to code execution or to a denial of service.
Complete Vigil@nce bulletin.... (free trial)

vulnerability alert CVE-2005-3239 CVE-2005-3303 CVE-2005-3500

ClamAV: incorrect handling of mbox, TNEF, CAB, FSG and OLE files

Synthesis of the vulnerability

An attacker can create archives corrupting ClamAV memory, or leading to infinite loops.
Impacted products: ClamAV, Debian, Mandriva Corporate, Mandriva Linux, NETASQ, openSUSE.
Severity: 3/4.
Creation date: 04/11/2005.
Revision date: 07/11/2005.
Identifiers: BID-15316, BID-15317, BID-15318, CERTA-2005-AVI-437, CVE-2005-3239, CVE-2005-3303, CVE-2005-3500, CVE-2005-3501, DSA-887-1, iDEFENSE Security Advisory 11.04.05, MDKSA-2005:205, SUSE-SR:2005:026, VIGILANCE-VUL-5331, ZDI-05-002.

Description of the vulnerability

Several vulnerabilities were announced in Clam AntiVirus.

Mbox files whose attachments have an empty filename are not analyzed.

FSG tool is used to compress programs. File libclamav/fsg.c does not correctly compute buffer size in unfsg_133() function. Memory is then corrupted which leads to code execution.

TNEF files (Transport Neutral Encapsulation Format) generally contain Outlook or Exchange data. An infinite loop can occur in libclamav/tnef.c.

A Microsoft CAB archive can lead to an infinite loop in libclamav/mspack/cabd.c.

An infinite loop can occur in libclamav/ole2_extract.c.
Complete Vigil@nce bulletin.... (free trial)

computer vulnerability alert CVE-2005-3185

wget, cURL: buffer overflow during NTLM authentication

Synthesis of the vulnerability

An attacker can run code on wget or cURL clients connecting to a malicious website.
Impacted products: cURL, Debian, Fedora, Mandriva Corporate, Mandriva Linux, Mandriva NF, NETASQ, OES, openSUSE, RHEL, ProPack, Slackware, SLES, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Creation date: 14/10/2005.
Identifiers: 20051101-01-U, 342339, 342696, BID-15102, CERTA-2005-AVI-407, CVE-2005-3185, DSA-919-1, FEDORA-2005-1000, FEDORA-2005-995, FEDORA-2005-996, iDEFENSE Security Advisory 10.13.05, MDKSA-2005:182, MDKSA-2005:183, RHSA-2005:807, RHSA-2005:807-00, RHSA-2005:812, RHSA-2005:812-00, SSA:2005-310-01, SUSE-SA:2005:063, SUSE-SR:2005:025, VIGILANCE-VUL-5276.

Description of the vulnerability

Programs cURL and wget download a web page or a web site.

HTTP protocol supports several authentication types:
 - Basic: login and password are sent encoded in base64
 - NTLM: a NTLM (Microsoft) authentication is used
NTLM protocol implementation of wget is a copy of cURL source code.

Login and domain name entered by user are stored in a 192 bytes array, without checking size. This overflow occurs:
 - if attacker convinces user to enter a long login name (not probable), or
 - if web server returns a 302 redirect error to an uri containing a long login name

An attacker, having a web server, can therefore run code on clients connecting, by using a NTLM authentication.
Complete Vigil@nce bulletin.... (free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about NETASQ Firewall: