|Main Archive Page > Month Archives > full-disclosure-uk archives|
CHEAP Plug :
Disclosure Policy :
Affected products :
# F-PROT AVES (High: complete bypass of engine)
# F-PROT Antivirus for Windows (unknown)
# F-PROT Antivirus for Windows on Mail Servers : (High: complete bypass of engine)
# F-PROT Antivirus for Exchange (High: complete bypass of engine)
# F-PROT Antivirus for Linux x86 Mail Servers : (High: complete bypass of engine)
# F-PROT Antivirus for Linux x86 File Servers : (High: complete bypass of engine)
# F-PROT Antivirus for Solaris SPARC / Solaris x86 Mail Servers (High: complete bypass of engine)
# F-PROT Milter - for example sendmail (High: complete bypass of engine)
# F-PROT Antivirus for Linux on IBM zSeries (S/390) (High: complete bypass of engine)
# F-Prot Antivirus for Linux x86 Workstations (unknown)
OEM Partners affected :
- Autentium (all)
Command Software Systems, an Authentium company, has been developing and selling an antivirus solution utilizing the powerful F-PROT Antivirus engine since 1991.
OEM Partner unknown status : - Sendmail, Inc. - G-Data -
FRISK Software produces the hugely popular F-Prot Antivirus products range offering unrivalled heuristic detection capabilities. In addition to this, the F-Prot AVES managed online e-mail security service filters away the nuisance of spam e-mail as well as viruses, worms and other malware that increasingly clog up inboxes and threaten data security."
The bug results in denying the engine the possibility to inspect code within CAB archives. There is no inspection of the content at all and hence the impossibility to detect malicious code.
IV. Disclosure timeline
20/04/2009 : Inform FRISK that the sample should extract fine.
22/04/2009 : FRISK responds that they were unable to find any archive program that is able to extract the file. However it will be patched nonetheless "being low-priority, it will not be added to the 4.4 branch. In other words, the fix will be included in the next engine released." 22/04/2009 : Sending FRISK a slightly modified POC (same field, different value) that extracts fine and still bypasses the engine. Ask vendor to confirm that the new engine catches the POC. No Reply 27/04/2009 : Resending previous mail asking to check whether the patch has been effectively closed No Reply
08/05/2009 : Release of this advisory.
F-prot is encouraged to leave their security contact details at http://osvdb.org/vendor/1/Frisk%20Software%20International to facilate communication and reduce lost reports.