Check Point Advisories

F-Secure Anti-Virus LHA Processing Buffer Overflow (CVE-2004-0234)

Vulnerability
Protection

Check Point Reference:	CPAI-2004-146
Date Published:	22 Dec 2009
Severity:	Critical
Last Updated:	Sunday 19 April, 2015
Source:
Industry Reference:	CVE-2004-0234
Protection Provided by:	Security Gateway R81, R80, R77, R75
Who is Vulnerable?
Vulnerability Description	F-Secure Corporation protects individuals and businesses against computer viruses and other threats spreading through the Internet and mobile networks. F-Secure Anti-Virus is an anti-virus solution for both the enterprise and the desktop. It is available for both Windows and Linux. Additionally, it can be integrated into other products. There exists a vulnerability in the F-Secure Antiphon's family of products. A crafted LHA archive can cause a buffer overflow within the module that accesses the contents of archives during the virus scanning process. In case of a simple attack, the software module will restart, causing loss of the product's service and resulting in a denial of service. In case of a more sophisticated attack, where code injection and execution is succesful, the target system's behavior is entirely dependent on the intended purpose of the injected code.

Protection Overview

This protection will detect and block attempts to exploit this vulnerability.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R75

In the IPS tab, click Protections and find the F-Secure Anti-Virus LHA Processing Buffer Overflow protection using the Search tool and Edit the protection's settings.
Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name: Security Products Enforcement Violation.
Attack Information: F-Secure Anti-Virus LHA processing buffer overflow