Check Point Advisories

Trend Micro Products AntiVirus Library Buffer Overflow (CVE-2005-0533)

Check Point Reference: CPAI-2005-198
Date Published: 9 Mar 2010
Severity: High
Last Updated: Tuesday 28 January, 2014
Source:
Industry Reference:CVE-2005-0533
Protection Provided by:

Security Gateway
R81, R80, R77, R75
Who is Vulnerable?
Vulnerability Description TrendMicro provides several anti-virus (AV) scanning products for home use as well as gateway AV scanners. The AV scanner product line has the ability to decode several archived file formats when scanning file contents for viruses. All scanner products are based on scanning engines implemented as system driver modules. The virus scanning engines employ decompression modules to decompress archives before scanning the files contained inside the archive. One of such archive formats recognized by the affected products is the ARJ format. This archiving format allows for simple storage of multiple files in one archive as well as the compression of the stored files. The Trend Micro scanning engine can decode many file formats to detect malware including the ARJ file format. There is a vulnerability in the way the product parses the main header and local header file names in an ARJ archive. An overly long name in either field can overrun a buffer, triggering a buffer overflow. An attacker can send a crafted ARJ file to the target system. If the target contains automatic scanning, the vulnerability can be triggered without user intervention (e.g., e-mail scanning) or with some user intervention (e.g., downloading from FTP site). In a simple attack, after scanning the crafted ARJ archive a vulnerable system will exhibit some instability. On some systems a system-wide locking-up prevents further operation on the target until the system is restarted. On some systems the virus scan engine no longer responds to scanning request. If attacker is successful in injecting and executing supplied code, and the target behavior is dependent on the nature and intent of the injected code. The code is executed with root or system level privileges.

Protection Overview

This protection will detect and block attempts to exploit this vulnerability.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R75

  1. In the IPS tab, click Protections and find the Trend Micro Products AntiVirus Library Buffer Overflow protection using the Search tool and Edit the protection's settings.
  2. Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name:  Content Protection Violation.
Attack Information:  Trend Micro Products AntiVirus Library buffer overflow

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK