Juniper Networks
Solutions
Products & Services
Company
Partners
Support
Education

Signature Detail

Security Intelligence Center
Signatures
Print

This site is deprecated. Please CLICK HERE for latest updates

Short Name

 HTTP:STC:AV-GATEWAY-BYPASS

Severity

 Minor

Recommended

 No

Recommended Action

 Drop

Category

 HTTP

Keywords

 Multiple Vendor AV Gateway Virus Detection Bypass

Release Date

 2012/01/09

Update Number

 2060

Supported Platforms

 idp-4.0+, isg-3.1.134269+, j-series-9.5+, mx-11.4+, srx-12.1+, srx-branch-12.1+, vmx-17.4+, vsrx-12.1+, vsrx3bsd-18.2+

HTTP: Multiple Vendor AV Gateway Virus Detection Bypass


A virus detection bypass vulnerability has been found in multiple Anti-virus Gateway products. The anti-virus scanning mechanisms of affected products encoded data embedded in an HTML document using the data: scheme. An attacker can exploit this flaw to deliver malicious content in HTML documents. The vulnerable application will not exhibit any unusual behaviour during a successful attack. The malicious content will pass unchecked through the scanning mechanisms of a vulnerable product.

Extended Description

Multiple vendor anti-virus gateway products are reported prone to a security weakness that could lead to a false sense of security. It is reported that the affected anti-virus gateways do not decode base64-encoded images that are contained in 'data' URIs. A malicious image that is obfuscated in this manner will bypass the affected anti-virus scanner; the image will be rendered in the browser of a target user when the malicious page is viewed. It is reported that because Microsoft Internet Explorer does not support the 'data' URI, Internet Explorer cannot be used as an attack vector to exploit this weakness. This weakness may lead to a false sense of security where a network administrator believes that the affected product will detect malicious images designed to trigger a target vulnerability. In reality, the images may be obfuscated by an attacker and may not be detected.

Affected Products

  • Alt_linux alt_linux_compact 2.3.0
  • Alt_linux alt_linux_junior 2.3.0
  • Check_point_software firewall-1_r55_hfa08_with_smartdefense
  • Clam_anti-virus clamav 0.51.0
  • Clam_anti-virus clamav 0.52.0
  • Clam_anti-virus clamav 0.53.0
  • Clam_anti-virus clamav 0.54.0
  • Clam_anti-virus clamav 0.60.0
  • Clam_anti-virus clamav 0.65.0
  • Clam_anti-virus clamav 0.67.0
  • Clam_anti-virus clamav 0.68.0
  • Clam_anti-virus clamav 0.68.0 -1
  • Clam_anti-virus clamav 0.70.0
  • Clam_anti-virus clamav 0.80.0
  • Clam_anti-virus clamav 0.80.0 Rc1
  • Clam_anti-virus clamav 0.80.0 Rc2
  • Clam_anti-virus clamav 0.80.0 Rc3
  • Clam_anti-virus clamav 0.80.0 Rc4
  • Clam_anti-virus clamav 0.81.0
  • Gentoo linux
  • Ibm siteprotector 2.0.0 SP3
  • Ibm siteprotector 2.0.4.561
  • Ironport ironport_with_sophos_av Engine 3.88
  • Mandriva corporate_server 3.0.0
  • Mandriva corporate_server 3.0.0 X86 64
  • Mandriva linux_mandrake 10.1.0
  • Mandriva linux_mandrake 10.1.0 X86 64
  • Mcafee webshield_3000 4.3.20
  • Tippingpoint unity-one_with_digital_vacine 2.0.0.2070
  • Trend_micro interscan_messaging_security_suite 3.81.0
  • Trend_micro interscan_messaging_security_suite 5.5.0
  • Trend_micro webprotect 3.1.0

References

  • BugTraq: 12269
  • CVE: CVE-2005-0218

Site Map
RSS Feeds
Careers
Accessibility
Feedback
Privacy Policy
Legal Notices
Copyright © 1999-2010 Juniper Networks, Inc. All rights reserved.
Help
|
My Account
|
Log Out