Check Point Advisories

BitDefender Antivirus Logging Function Format String - Ver2 (CVE-2005-3154)

Check Point Reference: CPAI-2015-0282
Date Published: 26 Mar 2015
Severity: High
Last Updated: Thursday 26 March, 2015
Source:
Industry Reference:CVE-2005-3154
Protection Provided by:

Security Gateway
R77, R76, R75
Who is Vulnerable?
Vulnerability Description The SOFTWIN BitDefender Antivirus (AV) product is an anti-virus scanner capable of on-demand as well as email scanning operations. The AV scanner logs by default all results of scans that it performs on the host machine. The logs include positive as well negative virus pattern matches. There exists a format string vulnerability in BitDefender Antivirus product. The flaw is caused by improper validation of file names when printing logging information. By delivering files with crafted names to a vulnerable target, a remote attacker may leverage this vulnerability to bypass the detection for further attacks or execute arbitrary code. In a case of an unsuccessful code injection attack, the current scanning process will terminate unexpectedly, the functionality of the Anti-Virus product as a whole will not be affected. The AV application will not produce any log entries as a result of its unexpected termination. The attacker may utilize this issue to bypass the scanning of a known virus file when the scan accessed files option in the AV application setting is disabled. A successful attack aiming at code injection and execution will divert the process flow of the vulnerable application. This will result in arbitrary code execution. The behaviour of the target system is dependent on the intention of the injected code.

Protection Overview

This protection will detect and block attempts to exploit this vulnerability.

In order for the protection to be activated,
update your Security Gateway product to the latest IPS update.
For information on how to update IPS, go to

SBP-2006-05,
Protection tab and select the version of your choice.

Security Gateway R77 / R76 / R75 / R71 / R70

  1. In the IPS tab, click Protections and find the BitDefender Antivirus Logging Function Format String - Ver2 protection using the Search tool and Edit the protection's settings.
  2. Install policy on all modules.

SmartView Tracker will log the following entries:

Attack Name:  HTTP Protocol Inspection.
Attack Information:  BitDefender Antivirus Logging Function Format String - Ver2

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK