Check Point Advisories

McAfee VirusScan On-Access Scanner Long Filename Handling Buffer Overflow

Check Point Reference: CPAI-2007-255
Date Published: 20 Jul 2010
Severity: High
Last Updated: Tuesday 20 July, 2010
Source:
Protection Provided by:

Security Gateway
R81, R80, R77, R75
Who is Vulnerable?
Vulnerability Description McAfee Corporation is a major vendor of numerous anti-virus, network, and desktop security products which are deployed in consumer as well as enterprise environments. McAfee VirusScan is an AntiVirus application that offers protection against the latest computer virus threats. McAfee VirusScan provides two virus scan methods: On-Demand Scan and On-Access Scan. In On-Access virus scanning mode, the AntiVirus scanner monitors file reading requests made by programs and inspect the file content before passing them to the requesting program. There exists a heap buffer overflow vulnerability in McAfee VirusScan. The flaw is due to a boundary error when processing overly long file names that contain Unicode characters. A remote attacker can exploit this vulnerability by placing a file with a specially crafted name on the target system and enticing the user to access the file. Successful exploitation may allow arbitrary code execution in the security context of System. In an attack scenario, where arbitrary code is successfully injected and executed on the target machine, the behavior of the target is dependent on the intention of the malicious code. If such an attack is not executed successfully, the functionality On-Access Scanner of the vulnerable application may be disabled as a result of the attack attempt.

Protection Overview

This protection will detect and block attempts to exploit this vulnerability.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R75

  1. In the IPS tab, click Protections and find the McAfee VirusScan On-Access Scanner Long Filename Handling Buffer Overflow protection using the Search tool and Edit the protection's settings.
  2. Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name:  Security Products Enforcement Violation.
Attack Information:  McAfee VirusScan On-Access scanner long Unicode filename handling buffer overflow

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK