The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of e-Trust Antivirus

computer vulnerability alert CVE-2012-1440 CVE-2012-1446 CVE-2012-1453

eTrust Antivirus: bypassing via CAB, ELF

Synthesis of the vulnerability

An attacker can create an archive or a program containing a virus, which is not detected by eTrust Antivirus.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 3.
Creation date: 21/03/2012.
Identifiers: BID-52595, BID-52600, BID-52621, CVE-2012-1440, CVE-2012-1446, CVE-2012-1453, VIGILANCE-VUL-11478.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Tools extracting archives (CAB.) accept to extract archives which are slightly malformed. Systems also accept to execute programs (ELF) which are slightly malformed. However, eTrust Antivirus does not detect viruses contained in these archives/programs.

An ELF program containing a large "identsize" field bypasses the detection. [severity:2/4; BID-52595, CVE-2012-1440]

An ELF program containing a large "encoding" field bypasses the detection. [severity:2/4; BID-52600, CVE-2012-1446]

A CAB archive containing a large "coffFiles" field bypasses the detection. [severity:1/4; BID-52621, CVE-2012-1453]

An attacker can therefore create an archive containing a virus which is not detected by the antivirus, but which is extracted by extraction tools. The virus is then detected once it has been extracted on victim's computer. An attacker can also create a program, containing a virus which is not detected by the antivirus, but which can be run by the system.
Full Vigil@nce bulletin... (Free trial)

cybersecurity alert CVE-2009-3587 CVE-2009-3588

CA Anti-Virus: code execution via arclib

Synthesis of the vulnerability

An attacker can create a malformed RAR archive, which corrupts the memory, in order to stop the Anti-Virus, or to execute code.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 09/10/2009.
Identifiers: BID-36653, CA20091008-01, CERTA-2009-AVI-431, CVE-2009-3587, CVE-2009-3588, G-SEC 46-2009, VIGILANCE-VUL-9080.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The arclib.dll/arclib.so library extracts files contained in an archive. It is impacted by two vulnerabilities.

A malformed RAR archive generates a heap corruption in arclib. [severity:3/4; CERTA-2009-AVI-431, CVE-2009-3587]

A malformed RAR archive generates a stack corruption in arclib. [severity:3/4; CVE-2009-3588]

An attacker can therefore create a malformed RAR archive, which corrupts the memory, in order to stop the Anti-Virus, or to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2009-0042

CA Anti-Virus: bypassing arclib

Synthesis of the vulnerability

An attacker can create a malformed archive containing a virus which is not detected by the antivirus.
Severity: 2/4.
Creation date: 27/01/2009.
Identifiers: BID-33464, CA20090126-01, CERTA-2009-AVI-033, CVE-2009-0042, VIGILANCE-VUL-8426.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The arclib.dll/arclib.so library extracts files contained in an archive.

When the archive is malformed, arclib fails to extract files, and the antivirus concludes that this archive does not contain a virus.

An attacker can therefore create a malformed archive containing a virus which is not detected by the antivirus.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2007-4620

CA Alert Notification Server: code execution

Synthesis of the vulnerability

An authenticated attacker can use overflows of the CA Alert Notification Server service in order to elevate his privileges.
Severity: 2/4.
Creation date: 04/04/2008.
Identifiers: BID-28605, CERTA-2008-AVI-184, CVE-2007-4620, VIGILANCE-VUL-7734.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The CA Alert Notification Server service is installed by several Computer Associates (CA) products.

This service does not check parameters provided by clients, which lead to buffer overflows.

An authenticated attacker can use these overflows in order to elevate his privileges.
Full Vigil@nce bulletin... (Free trial)

cybersecurity bulletin CVE-2007-3875

Computer Associates AV: denial of service via CHM

Synthesis of the vulnerability

An attacker can create a malicious CHM file generating an infinite loop in the antivirus.
Severity: 2/4.
Creation date: 25/07/2007.
Identifiers: BID-25049, CAID 35525, CAID 35526, CVE-2007-3875, n.runs-SA-2007.024, VIGILANCE-VUL-7036.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Files with CHM extension are compiled help files for Windows.

When Computer Associates antivirus analyzes a CHM file containing a reference pointing back to a previous data chunk, an infinite loop occurs.

An attacker can therefore create a malicious CHM file in order to generate a denial of service in the antivirus.
Full Vigil@nce bulletin... (Free trial)

computer threat note CVE-2007-3825

CA AV eTrust: buffer overflows of Alert service

Synthesis of the vulnerability

Several buffer overflows affect Computer Associates products using the Alert service.
Severity: 3/4.
Creation date: 20/07/2007.
Identifiers: CAID 35515, CERTA-2007-AVI-315, CVE-2007-3825, VIGILANCE-VUL-7024.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Alert service is used by several Computer Associates products:
 - CA Threat Manager for the Enterprise
 - CA Anti-Virus for the Enterprise
 - CA Protection Suites
 - BrightStor ARCserve

This service installs the 3d742890-397c-11cf-9bf1-00805f88cb72 RPC interface. It can be reached via SMB/CIFS and contains several buffer overflows.

A network attacker can therefore connect to this computer and use these vulnerabilities in order to obtain system privileges.
Full Vigil@nce bulletin... (Free trial)

security alert CVE-2007-2863 CVE-2007-2864

CA Anti-Virus, eTrust: buffer overflows of CAB

Synthesis of the vulnerability

An attacker can create a malicious CAB archive in order to generate two overflows in Computer Associates antiviruses.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 06/06/2007.
Identifiers: BID-24330, BID-24331, CERTA-2007-AVI-252, CVE-2007-2863, CVE-2007-2864, VIGILANCE-VUL-6885, VU#105105, VU#739409, ZDI-07-034, ZDI-07-035.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can create a malicious CAB archive in order to generate two overflows in Computer Associates antiviruses.

When a CAB archive contains a file with a long name, an overflow occurs in vete.dll. [severity:3/4; BID-24331, CERTA-2007-AVI-252, CVE-2007-2863, VU#739409, ZDI-07-034]

When the "coffFiles" field of a CAB archive contains a file with a long name, an overflow occurs. [severity:3/4; BID-24330, CVE-2007-2864, VU#105105, ZDI-07-035]

Both overflows can lead to code execution.
Full Vigil@nce bulletin... (Free trial)

computer weakness note CVE-2007-2522 CVE-2007-2523

CA Anti-Virus: several buffer overflows

Synthesis of the vulnerability

A local or remote attacker can exploit several buffer overflows in antiviruses products of Computer Associates.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 11/05/2007.
Identifiers: BID-23906, CAID 35330, CAID 35331, CERTA-2007-AVI-217, CVE-2007-2522, CVE-2007-2523, VIGILANCE-VUL-6812, VU#680616, VU#788416, ZDI-07-028.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can exploit two buffer overflows in antiviruses products of Computer Associates.

The InoWeb.exe web server listens on port 12168/tcp. User has to authenticate before accessing to service. However, login and password are stored in a fixed size array without check, which leads to an overflow. A remote attacker can therefore execute code. [severity:3/4; CERTA-2007-AVI-217, CVE-2007-2522, VU#680616, ZDI-07-028]

The task service InoTask.exe, linked to InoCore.dll, uses a shared file which can be edited by every local user. A local attacker can therefore write a long value in order to generate an overflow, then code execution with SYSTEM privileges. [severity:3/4; CVE-2007-2523, VU#788416]
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2006-6496

CA Anti-Virus: denial of service of vetfddnt.sys and vetmonnt.sys

Synthesis of the vulnerability

A local attacker can send malicious data to vetfddnt.sys and vetmonnt.sys drivers in order to stop the antivirus.
Severity: 1/4.
Creation date: 14/12/2006.
Identifiers: BID-21593, CAID 34870, CVE-2006-6496, VIGILANCE-VUL-6402.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The vetfddnt.sys and vetmonnt.sys drivers are used by CA Anti-Virus.

Some of their functions, available via ioctl, do not check if parameters are NULL before dereferencing them.

A local attacker can thus use a NULL parameter in order to stop system.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2006-5645 CVE-2006-6458

Antivirus: infinite loop via a RAR archive

Synthesis of the vulnerability

An attacker can create a malicious RAR archive in order to generate an infinite loop in some antivirus.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 3.
Creation date: 11/12/2006.
Identifiers: 7609, BID-21509, CAID 35525, CAID 35526, CVE-2006-5645, CVE-2006-6458, CVE-2007-5645-ERROR, iDefense Security Advisory 12.08.06, VIGILANCE-VUL-6384.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The RAR format is composed of successive headers and data sections.

The "Archive Header" section is the main header of the file. The "head_size" field indicates size of this header and the "pack_size" header indicates the compressed size.

When "head_size" and "pack_size" fields are set to zero, archive is invalid. However, some antivirus enter an infinite loop trying to read data.

Antivirus identified as vulnerable are:
 - CA Anti-Virus
 - Sophos Small business edition (Windows/Linux) 4.06.1 (engine version 2.34.3)
 - Trend Micro Office Scan 7.3
 - Trend Micro PC Cillin - Internet Security 2006
 - Trend Micro Server Protect 5.58
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.