Vulnerability Name:

CVE-2005-3377 (CCN-24579)

Assigned:2005-10-25
Published:2005-10-25
Updated:2016-10-18
Summary:Multiple interpretation error in (1) McAfee Internet Security Suite 7.1.5 version 9.1.08 with the 4.4.00 engine and (2) McAfee Corporate 8.0.0 patch 10 with the 4400 engine allows remote attackers to bypass virus scanning via a file such as BAT, HTML, and EML with an "MZ" magic byte sequence which is normally associated with EXE, which causes the file to be treated as a safe type that could still be executed as a dangerous file type by applications on the end system, as demonstrated by a "triple headed" program that contains EXE, EML, and HTML content, aka the "magic byte bug."
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
CVSS v2 Severity:5.1 Medium (CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P)
3.8 Low (Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Type:CWE-Other
Vulnerability Consequences:Bypass Security
References:Source: MITRE
Type: CNA
CVE-2005-3370

Source: MITRE
Type: CNA
CVE-2005-3371

Source: MITRE
Type: CNA
CVE-2005-3372

Source: MITRE
Type: CNA
CVE-2005-3373

Source: MITRE
Type: CNA
CVE-2005-3374

Source: MITRE
Type: CNA
CVE-2005-3375

Source: MITRE
Type: CNA
CVE-2005-3376

Source: MITRE
Type: CNA
CVE-2005-3377

Source: MITRE
Type: CNA
CVE-2005-3378

Source: MITRE
Type: CNA
CVE-2005-3379

Source: MITRE
Type: CNA
CVE-2005-3380

Source: MITRE
Type: CNA
CVE-2005-3381

Source: MITRE
Type: CNA
CVE-2005-3382

Source: MITRE
Type: CNA
CVE-2005-3399

Source: MITRE
Type: CNA
CVE-2005-3400

Source: MITRE
Type: CNA
CVE-2005-3401

Source: BUGTRAQ
Type: UNKNOWN
20051025 Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through

Source: CCN
Type: BugTraq Mailing List, 2005-10-25 14:00:54
Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through

Source: CCN
Type: BugTraq Mailing List, 2005-10-26 19:27:17
Update for the magic byte bug

Source: CCN
Type: McAfee Internet Security Suite 2005 Web site
Internet Security Suite - Desktop Security Software - McAfee

Source: CCN
Type: ArcaVir Web site
ArcaBit - ArcaVir Antivirus Monitor

Source: CCN
Type: Dr. Web Web site
DialogueScience, Inc. - anti-virus solutions for your security

Source: CCN
Type: F-Prot Web site
F-Prot Antivirus Products - Detailed product information on F-Prot Antvirus for Windows, Linux, BSD, Exchange, AIX, Solaris and DOS as well as F-Prot AVES anti-virus and anti-spam email filtering service

Source: CCN
Type: AVG Antivirus Web site
AVG Anti Virus: HOME

Source: CCN
Type: Ikarus AntiVirus Web site
IKARUS Software Vienna - Sober.C stort den Weihnachtsfrieden!

Source: CCN
Type: Kaspersky Antivirus Web site
Kaspersky Lab > Antivirus Software, Computer Virus Protection`AntiSpyware`Spam Filter`Computer Security

Source: CCN
Type: Norman Virus Control Web site
:: NORMAN :: Antivirus | Firewall | Network security

Source: CCN
Type: OSVDB ID: 20932
Multiple Anti-Virus Crafted Filetype Header Scan Bypass (magic byte)

Source: CCN
Type: Panda Antivirus Titanium 2005 Web site
Panda Security Magazine

Source: MISC
Type: UNKNOWN
http://www.securityelf.org/magicbyte.html

Source: MISC
Type: Vendor Advisory
http://www.securityelf.org/magicbyteadv.html

Source: MISC
Type: UNKNOWN
http://www.securityelf.org/updmagic.html

Source: BID
Type: UNKNOWN
15189

Source: CCN
Type: BID-15189
Multiple Vendor Anti-Virus Magic Byte Detection Evasion Vulnerability

Source: CCN
Type: Sophos Anti-Virus Web site
Sophos - Manageable endpoint security

Source: CCN
Type: OfficeScan Web site
Trend Micro Enterprise Homepage

Source: CCN
Type: PC-cillin Web site
PC-cillin Internet Security

Source: CCN
Type: UNA Web site
Àíòèâèðóñ UNA

Source: CCN
Type: eTrust Antivirus Web site
Antivirus, Security Management

Source: XF
Type: UNKNOWN
antivirus-mz-header-detection-bypass(24579)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:mcafee:internet_security_suite:7.1.5_version_9.1.08_engine_4.4.00:*:*:*:*:*:*:*
  • OR cpe:/a:mcafee:internet_security_suite:8.0.0_patch_10_engine_4400:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:broadcom:etrust_antivirus:7.0.1.4:*:*:*:*:*:*:*
  • OR cpe:/a:trend_micro:officescan:7.0:*:*:*:*:*:*:*
  • OR cpe:/a:sophos:sophos_anti-virus:3.91:*:*:*:*:*:*:*
  • OR cpe:/h:fortinet:fortinet:2.48.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:f-prot:f-prot_antivirus:3.16c:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    mcafee internet security suite 7.1.5_version_9.1.08_engine_4.4.00
    mcafee internet security suite 8.0.0_patch_10_engine_4400
    ca etrust antivirus 7.0.1.4
    trend_micro officescan 7.0
    sophos sophos anti-virus 3.91
    fortinet fortinet 2.48.0.0
    f-prot f-prot antivirus 3.16c