Vulnerability Name:

CVE-2012-1425 (CCN-74234)

Assigned:2012-03-19
Published:2012-03-19
Updated:2012-08-14
Summary:The TAR file parser in Avira AntiVir 7.11.1.163, Antiy Labs AVL SDK 2.0.3.7, Quick Heal (aka Cat QuickHeal) 11.00, Emsisoft Anti-Malware 5.1.0.1, Fortinet Antivirus 4.2.254.0, Ikarus Virus Utilities T3 Command Line Scanner 1.1.97.0, Jiangmin Antivirus 13.0.900, Kaspersky Anti-Virus 7.0.0.125, McAfee Anti-Virus Scanning Engine 5.400.0.1158, McAfee Gateway (formerly Webwasher) 2010.1C, NOD32 Antivirus 5795, Norman Antivirus 6.06.12, PC Tools AntiVirus 7.0.3.5, AVEngine 20101.3.0.103 in Symantec Endpoint Protection 11, Trend Micro AntiVirus 9.120.0.1004, and Trend Micro HouseCall 9.120.0.1004 allows remote attackers to bypass malware detection via a POSIX TAR file with an initial \50\4B\03\04 character sequence.
Note: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different TAR parser implementations.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.5 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:U/RC:UR)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.5 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:U/RC:UR)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-264
Vulnerability Consequences:Bypass Security
References:Source: CCN
Type: BugTraq Mailing List, Sun Mar 18 2012
Evasion attacks expoliting file-parsing vulnerabilities in antivirus products

Source: MITRE
Type: CNA
CVE-2012-1425

Source: CCN
Type: Jaingmin Web Site
Jaingmain Antivirus

Source: OSVDB
Type: UNKNOWN
80389

Source: OSVDB
Type: UNKNOWN
80391

Source: OSVDB
Type: UNKNOWN
80392

Source: OSVDB
Type: UNKNOWN
80395

Source: OSVDB
Type: UNKNOWN
80396

Source: OSVDB
Type: UNKNOWN
80403

Source: OSVDB
Type: UNKNOWN
80409

Source: CCN
Type: Antiy Lans Web Site
Antiy Labs Antivirus

Source: CCN
Type: Avira Web Site
Avira Antivirus

Source: CCN
Type: Emsisoft Web Site
Emsisoft Anti-Malware

Source: CCN
Type: ESET Web Site
ESET - Antivirus Software with Spyware and Malware Protection

Source: CCN
Type: Fortinet Web Site
Fortinet Antivirus

Source: MISC
Type: UNKNOWN
http://www.ieee-security.org/TC/SP2012/program.html

Source: CCN
Type: Ikarus Web Site
Ikarus Security Software

Source: CCN
Type: Kaspersky Web Site
Kaspersky Antivirus

Source: CCN
Type: McAfee Web Site
McAffee Antivirus

Source: CCN
Type: Norman Web Site
Antivirus | Norman — Proactive IT security

Source: CCN
Type: OSVDB ID: 80387
Avira AntiVir Malformed TAR File Handling Scan Bypass

Source: CCN
Type: OSVDB ID: 80388
Trend Micro Multiple Product Malformed TAR File Handling Scan Bypass

Source: CCN
Type: OSVDB ID: 80389
McAfee Multiple Product Malformed TAR File Handling Scan Bypass

Source: CCN
Type: OSVDB ID: 80391
Jiangmin Antivirus Malformed TAR File Handling Scan Bypass

Source: CCN
Type: OSVDB ID: 80392
Antiy Labs AVL SDK Malformed TAR File Handling Scan Bypass

Source: CCN
Type: OSVDB ID: 80395
Ikarus Virus Utilities T3 Command Line Scanner Malformed TAR File Handling Scan Bypass

Source: CCN
Type: OSVDB ID: 80396
Emsisoft Anti-Malware Malformed TAR File Handling Scan Bypass

Source: CCN
Type: OSVDB ID: 80403
Kaspersky Anti-Virus Malformed TAR File Handling Scan Bypass

Source: CCN
Type: OSVDB ID: 80409
Quick Heal Malformed TAR File Handling Scan Bypass

Source: CCN
Type: PC Tools Web Site
PC Tools Antivirus

Source: CCN
Type: Quick Heal Web Site
Quick Heal Antivirus

Source: BUGTRAQ
Type: UNKNOWN
20120319 Evasion attacks expoliting file-parsing vulnerabilities in antivirus products

Source: CCN
Type: BID-52580
Multiple AntiVirus Products TAR File Scan Evasion Vulnerability

Source: CCN
Type: Symantec Web Site
Symantec Antivirus

Source: CCN
Type: Trend Micro Web Site
Trend Micro Antivirus

Source: XF
Type: UNKNOWN
multiple-antivir-tar-evasion(74234)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:antiy:avl_sdk:2.0.3.7:*:*:*:*:*:*:*
  • OR cpe:/a:avira:antivir:7.11.1.163:*:*:*:*:*:*:*
  • OR cpe:/a:cat:quick_heal:11.00:*:*:*:*:*:*:*
  • OR cpe:/a:emsisoft:anti-malware:5.1.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:eset:nod32_antivirus:5795:*:*:*:*:*:*:*
  • OR cpe:/a:fortinet:fortinet_antivirus:4.2.254.0:*:*:*:*:*:*:*
  • OR cpe:/a:ikarus:ikarus_virus_utilities_t3_command_line_scanner:1.1.97.0:*:*:*:*:*:*:*
  • OR cpe:/a:jiangmin:jiangmin_antivirus:13.0.900:*:*:*:*:*:*:*
  • OR cpe:/a:kaspersky:kaspersky_anti-virus:7.0.0.125:*:*:*:*:*:*:*
  • OR cpe:/a:mcafee:gateway:2010.1c:*:*:*:*:*:*:*
  • OR cpe:/a:mcafee:scan_engine:5.400.0.1158:*:*:*:*:*:*:*
  • OR cpe:/a:norman:norman_antivirus_&_antispyware:6.06.12:*:*:*:*:*:*:*
  • OR cpe:/a:pc_tools:pc_tools_antivirus:7.0.3.5:*:*:*:*:*:*:*
  • OR cpe:/a:symantec:endpoint_protection:11.0:*:*:*:*:*:*:*
  • OR cpe:/a:trendmicro:housecall:9.120.0.1004:*:*:*:*:*:*:*
  • OR cpe:/a:trendmicro:trend_micro_antivirus:9.120.0.1004:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:symantec:endpoint_protection:11.0.6200.754:*:*:*:*:*:*:*
  • OR cpe:/a:fortinet:fortinet_antivirus:4.2.254.0:*:*:*:*:*:*:*
  • OR cpe:/a:eset:nod32_antivirus:5795:*:*:*:*:*:*:*
  • OR cpe:/a:emsisoft:anti-malware:5.1.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:jiangmin:jiangmin_antivirus:13.0.900:*:*:*:*:*:*:*
  • OR cpe:/a:avira:antivir:7.11.1.163:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    antiy avl sdk 2.0.3.7
    avira antivir 7.11.1.163
    cat quick heal 11.00
    emsisoft anti-malware 5.1.0.1
    eset nod32 antivirus 5795
    fortinet fortinet antivirus 4.2.254.0
    ikarus ikarus virus utilities t3 command line scanner 1.1.97.0
    jiangmin jiangmin antivirus 13.0.900
    kaspersky kaspersky anti-virus 7.0.0.125
    mcafee gateway 2010.1c
    mcafee scan engine 5.400.0.1158
    norman norman antivirus & antispyware 6.06.12
    pc_tools pc tools antivirus 7.0.3.5
    symantec endpoint protection 11.0
    trendmicro housecall 9.120.0.1004
    trendmicro trend micro antivirus 9.120.0.1004
    symantec endpoint protection 11.0.6200.754
    fortinet fortinet antivirus 4.2.254.0
    eset nod32 antivirus 5795
    emsisoft anti-malware 5.1.0.1
    jiangmin jiangmin antivirus 13.0.900
    avira antivir 7.11.1.163