Check Point Advisories

Symantec AntiVirus RAR Archive Decompression Buffer Overflow (CVE-2005-4438)

Check Point Reference: CPAI-2005-349
Date Published: 6 Oct 2009
Severity: Critical
Last Updated: Tuesday 06 October, 2009
Source:
Industry Reference:CVE-2005-4438
Protection Provided by:

Security Gateway
R81, R80, R77, R75

Who is Vulnerable?
Vulnerability Description Symantec antivirus scanning products are designed for enterprise and home environments for protection from potentially malicious files and network traffic. Numerous Symantec products that incorporate the antivirus scanning capabilities share among them common components and libraries. One such shared component is the set of decomposer libraries that allows for the decompression of numerous archive file formats. There exists a heap buffer overflow vulnerability in multiple Symantec products. The vulnerability is specifically contained in the Antivirus Library that is responsible for RAR archive decompression. A remote attacker may exploit this vulnerability to execute arbitrary code on the target host with System level privileges by delivering a crafted RAR archive. In an attack scenario, where arbitrary code is attempted to be injected and executed on the target host, the behavior of the target is dependent on the intention of the malicious code. The injected code will be executed in the security context of the target process, which is SYSTEM by default. If such an attack is not executed successfully, the current process of the vulnerable application may terminate as a result of the attack attempt. Note that the on-access virus scan application will still function after such termination.

Protection Overview

This protection will detect and block attempts to exploit this vulnerability

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R75

  1. In the IPS tab, click Protections and find the Symantec AntiVirus RAR Archive Decompression Buffer Overflow protection using the Search tool and Edit the protection's settings.
  2. Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name:  Security Products Enforcement Violation.
Attack Information:  Symantec AntiVirus RAR archive decompression buffer overflow

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK