The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of F-PROT AV

computer vulnerability bulletin CVE-2012-1420 CVE-2012-1423 CVE-2012-1426

F-PROT Antivirus: bypassing via ELF, RAR, TAR, ZIP

Synthesis of the vulnerability

An attacker can create an archive or a program containing a virus, which is not detected by F-PROT Antivirus.
Impacted products: F-PROT AV.
Severity: 2/4.
Consequences: data flow.
Provenance: document.
Number of vulnerabilities in this bulletin: 10.
Creation date: 21/03/2012.
Identifiers: BID-52585, BID-52588, BID-52591, BID-52608, BID-52610, BID-52612, BID-52614, BID-52615, BID-52623, BID-52629, CVE-2012-1420, CVE-2012-1423, CVE-2012-1426, CVE-2012-1431, CVE-2012-1443, CVE-2012-1456, CVE-2012-1457, CVE-2012-1459, CVE-2012-1460, CVE-2012-1463, VIGILANCE-VUL-11468.

Description of the vulnerability

Tools extracting archives (TAR, ZIP, etc.) accept to extract archives which are slightly malformed. Systems also accept to execute programs (ELF) which are slightly malformed. However, F-PROT Antivirus does not detect viruses contained in these archives/programs.

A TAR archive containing "\7fELF" as its first 4 bytes bypasses the detection. [severity:1/4; BID-52615, CVE-2012-1420]

A TAR archive containing "MZ" as its first 2 bytes bypasses the detection. [severity:1/4; BID-52588, CVE-2012-1423]

A TAR archive containing "\42\5A\68" as its first 3 bytes bypasses the detection. [severity:1/4; BID-52585, CVE-2012-1426]

An ELF program containing "\4a\46\49\46" at offset 6 bypasses the detection. [severity:2/4; BID-52591, CVE-2012-1431]

A RAR archive containing "MZ" as its first 2 bytes bypasses the detection. [severity:1/4; BID-52612, CVE-2012-1443]

A ZIP archive starting by TAR data bypasses the detection. [severity:1/4; BID-52608, CVE-2012-1456]

A TAR archive with a large size bypasses the detection. [severity:1/4; BID-52610, CVE-2012-1457]

A TAR archive with a header containing a large value bypasses the detection. [severity:1/4; BID-52623, CVE-2012-1459]

A TAR+GZ archive ending with 6 random bytes bypasses the detection. [severity:1/4; BID-52629, CVE-2012-1460]

An ELF program with a changed 5th byte bypasses the detection. [severity:2/4; BID-52614, CVE-2012-1463]

An attacker can therefore create an archive containing a virus which is not detected by the antivirus, but which is extracted by extraction tools. The virus is then detected once it has been extracted on victim's computer. An attacker can also create a program, containing a virus which is not detected by the antivirus, but which can be run by the system.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin 11128

Avast, F-Prot: virus not detected on NTFS

Synthesis of the vulnerability

An attacker which can upload a virus on a NTFS partition can change its permissions, so it is still executable, but it is not detected by the antivirus.
Impacted products: Avast AV, F-PROT AV.
Severity: 1/4.
Consequences: privileged access/rights.
Provenance: document.
Creation date: 07/11/2011.
Identifiers: BID-50569, VIGILANCE-VUL-11128.

Description of the vulnerability

A NTFS partitions can be used to set the following permissions on a file:
 - "Execute File" : permission to execute the file
 - "Read" : permission to read the file

When a file has the "Execute File" permission, and does not have the "Read" permission, some antivirus software do not analyze it, and thus do not detect if they contain a virus. It can be noted that the initial storage of the file, before its permission change, is detected by the antivirus.

An attacker which can upload a virus on a NTFS partition can therefore change its permissions, so it is still executable, but it is not detected by the antivirus.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2009-3087 CVE-2009-3094 CVE-2009-3095

Several products: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities were announced in numerous products.
Impacted products: Apache httpd, OpenOffice, NetWorker, F-PROT AV, FreeBSD, OpenView, OpenView NNM, OpenView Operations, HP Operations, Domino, Kaspersky AV, MySQL Community, MySQL Enterprise, OpenSolaris, OpenSSL, Oracle AS, Oracle Directory Server, Oracle iPlanet Web Proxy Server, Oracle iPlanet Web Server, Solaris, WebLogic, Percona Server, Samba, Crystal Reports, SAP ERP, NetWeaver, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, data reading, data creation/edition, data deletion, denial of service on server, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 23.
Creation date: 04/09/2009.
Revisions dates: 11/09/2009, 26/10/2009.
Identifiers: BID-36242, BID-36243, BID-36248, BID-36250, BID-36252, BID-36253, BID-36254, BID-36257, BID-36258, BID-36263, BID-36267, BID-36285, BID-36286, BID-36813, BID-36818, BID-36819, BID-37640, CERTA-2009-AVI-384, CERTA-2009-AVI-424, CVE-2009-3087, CVE-2009-3094, CVE-2009-3095, CVE-2009-3098, CVE-2009-3099, CVE-2009-3111, CVE-2009-3344, CVE-2009-3345, CVE-2009-3346, CVE-2009-3569, CVE-2009-3570, CVE-2009-3571, CVE-2009-3878, CVE-2009-4481-REJECT, CVE-2009-4484, VIGILANCE-VUL-9000.

Description of the vulnerability

Several vulnerabilities were announced in numerous products. Their technical details are unknown. Individual bulletins will be created when details will be published.

Apache mod_proxy_ftp is impacted by two vulnerabilities: VIGILANCE-VUL-8994 and VIGILANCE-VUL-9038. [severity:1/4; BID-36254, CERTA-2009-AVI-424, CVE-2009-3094, CVE-2009-3095]

EMC Legato NetWorker is impacted by three vulnerabilities. [severity:1/4]

F-PROT Antivirus is impacted by two vulnerabilities. [severity:1/4]

FreeBSD is impacted by two vulnerabilities. [severity:1/4]

FreeRADIUS is impacted by the VIGILANCE-VUL-9016 vulnerability. [severity:1/4; BID-36263, CERTA-2009-AVI-384, CVE-2009-3111, CVE-2009-4481-REJECT]

HP Operations is impacted by two vulnerabilities. [severity:1/4; BID-36253, BID-36258, CVE-2009-3098, CVE-2009-3099]

HP OpenView Network Node Manager is impacted by four vulnerabilities. [severity:1/4; BID-36248]

Lotus Domino is impacted by six vulnerabilities. [severity:1/4; BID-36257, CVE-2009-3087]

Kaspersky Online Antivirus Scanner is impacted by two vulnerabilities. One vulnerability is related to kos-bin-winnt.jar containing the kosglue-7.0.26.0.dll DLL which can contain a Trojan Horse. [severity:1/4; BID-36243]

MySQL is impacted by two vulnerabilities. The first one is VIGILANCE-VUL-9380. [severity:1/4; BID-36242, BID-37640, CVE-2009-4484]

OpenOffice is impacted by three vulnerabilities. [severity:1/4; BID-36285, CVE-2009-3569, CVE-2009-3570, CVE-2009-3571]

OpenSSL is impacted by one vulnerability. [severity:1/4]

Oracle WebLogic is impacted by three vulnerabilities. [severity:1/4]

Oracle Application Server is impacted by five vulnerabilities. [severity:1/4]

PowerArchiver is impacted by one vulnerability. [severity:1/4]

SAP Crystal Reports is impacted by three vulnerabilities. [severity:1/4; BID-36267, CVE-2009-3344, CVE-2009-3345, CVE-2009-3346]

SAP NetWeaver is impacted by six vulnerabilities. [severity:1/4; BID-36252]

Samba is impacted by six vulnerabilities. [severity:1/4; BID-36250]

Sun Java System Directory Server is impacted by two vulnerabilities. [severity:1/4; BID-36286]

Sun Java System Web Proxy Server is impacted by one vulnerability. [severity:1/4]

Solaris is impacted by one vulnerability. [severity:1/4]

Sun Java System WebServer is impacted by one vulnerability. [severity:1/4; BID-36813, CVE-2009-3878]

Solaris is impacted by two vulnerabilities. [severity:1/4; BID-36818, BID-36819]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce 8807

F-PROT Antivirus: bypassing via ARJ LHA RAR

Synthesis of the vulnerability

An attacker can create a ARJ/LHA/RAR archive containing a virus which is not detected by F-PROT products.
Impacted products: F-PROT AV.
Severity: 2/4.
Consequences: data flow.
Provenance: document.
Creation date: 18/06/2009.
Identifiers: BID-35427, TZO-34-2009, VIGILANCE-VUL-8807.

Description of the vulnerability

F-PROT products detect viruses contained in ARJ/LHA/RAR archives.

However, an attacker can create a slightly malformed archive, which can still be opened by extraction tools, but which cannot be opened by the antivirus.

An attacker can therefore create a ARJ/LHA/RAR archive containing a virus which is not detected by F-PROT products.
Full Vigil@nce bulletin... (Free trial)

vulnerability note 8794

F-PROT Antivirus: bypassing via TAR

Synthesis of the vulnerability

An attacker can create a TAR archive containing a virus which is not detected by F-PROT products.
Impacted products: F-PROT AV.
Severity: 2/4.
Consequences: data flow.
Provenance: document.
Creation date: 15/06/2009.
Identifiers: BID-35355, TZO-33-2009, VIGILANCE-VUL-8794.

Description of the vulnerability

F-PROT products detect viruses contained in TAR archives.

However, an attacker can create a slightly malformed archive, which can still be opened by Winzip tools, but which cannot be opened by the antivirus.

An attacker can therefore create a TAR archive containing a virus which is not detected by F-PROT products.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2009-1783

F-PROT Antivirus: bypassing via CAB

Synthesis of the vulnerability

An attacker can create a CAB archive containing a virus which is not detected by F-PROT.
Impacted products: F-PROT AV.
Severity: 2/4.
Consequences: data flow.
Provenance: document.
Creation date: 11/05/2009.
Identifiers: BID-34896, CVE-2009-1783, TZO-21-2009, VIGILANCE-VUL-8705.

Description of the vulnerability

F-PROT products detect viruses contained in CAB archives.

However, an attacker can create a slightly malformed archive (by changing "Filesize"), which can still be opened by Unzip tools, but which cannot be opened by the antivirus.

An attacker can therefore create a CAB archive containing a virus which is not detected by F-PROT.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2008-5747

F-Prot AV: denial of service via ELF

Synthesis of the vulnerability

An attacker can create a malicious ELF binary in order to create a denial of service and possibly to execute code in F-Prot AV.
Impacted products: F-PROT AV.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: document.
Creation date: 10/12/2008.
Identifiers: BID-32753, CVE-2008-5747, IVIZ-08-016, VIGILANCE-VUL-8318.

Description of the vulnerability

An attacker can create a malicious ELF binary in order to create a denial of service and possibly to execute code in F-Prot AV.



This vulnerability may only impact Linux versions of the antivirus.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert 7981

F-PROT: denial of service via zip

Synthesis of the vulnerability

An attacker can send a corrupted zip file to a victim, this will generate a denial of service.
Impacted products: F-PROT AV.
Severity: 1/4.
Consequences: denial of service on client.
Provenance: document.
Creation date: 31/07/2008.
Identifiers: BID-30461, VIGILANCE-VUL-7981.

Description of the vulnerability

The F-PROT antivirus checks every files on the computer of the victim.

An attacker can send a corrupted zip file, this last will generate an infinite loop in F-PROT.

An attacker can therefore generate a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2008-3243 CVE-2008-3244

F-PROT: several denials of service

Synthesis of the vulnerability

An attacker can create malformed files in order to stop F-PROT.
Impacted products: F-PROT AV.
Severity: 1/4.
Consequences: denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 4.
Creation date: 16/07/2008.
Identifiers: BID-30253, BID-30258, CVE-2008-3243, CVE-2008-3244, n.runs-SA-2008.002, VIGILANCE-VUL-7953.

Description of the vulnerability

Four vulnerabilities were corrected by the version 4.4.4 of F-PROT engine.

A CHM file with a nb_dir header value of 0xffffffff forces a read at an invalid memory address, which stops F-PROT. [severity:1/4; BID-30253, CVE-2008-3244, n.runs-SA-2008.002]

A malformed UPX file stops the engine. [severity:1/4; CVE-2008-3243]

A malformed Microsoft Office file creates an infinite loop. [severity:1/4]

On a 64-bit processor, a file compressed with ASPack stops the engine. [severity:1/4]
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2006-6406 CVE-2006-6407 CVE-2006-6408

Antivirus: bypassing via base64

Synthesis of the vulnerability

An attacker can use base64 data containing unexpected characters in order to bypass some antivirus.
Impacted products: ClamAV, Debian, F-PROT AV, F-Secure AV, Kaspersky AV, Mandriva Linux, openSUSE.
Severity: 2/4.
Consequences: data flow.
Provenance: document.
Number of vulnerabilities in this bulletin: 4.
Creation date: 07/12/2006.
Revision date: 12/12/2006.
Identifiers: BID-21461, CVE-2006-6406, CVE-2006-6407, CVE-2006-6408, CVE-2006-6409, DSA-1238-1, MDKSA-2006:230, SUSE-SA:2006:078, VIGILANCE-VUL-6374.

Description of the vulnerability

The base64 algorithm encodes data using 64 characters: A-Z a-z 0-9 + /

In RFC 2045, page 24, it is indicated that the base64 decoder has to ignore all other characters (and should warn user). Thus spaces, line feeds, but also special characters have to be ignored.

Most messaging clients honour this RFC, and can thus decode a base64 string containing special characters. However, some antivirus do no recognize data, and do not detect the encoded virus.

This vulnerability affects, with various severity, following products:
 - BitDefender Mail Protection for SMB 2.0
 - ClamAV 0.88.7
 - F-Prot Antivirus for Linux x86 Mail Servers 4.6.61
 - Kaspersky Anti-Virus for Linux Mail Server 5.5.10
 - F-Secure Anti-Virus for Linux Gateways 4.65
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about F-PROT AV: