Juniper Networks
Solutions
Products & Services
Company
Partners
Support
Education

Signature Detail

Security Intelligence Center
Signatures
Print

Short Name

 HTTP:MISC:AV-INVALID-CHKSUM

Severity

 Medium

Recommended

 No

Recommended Action

 Drop

Category

 HTTP

Keywords

 Multiple AV Vendor Invalid Archive Checksum Bypass

Release Date

 2013/05/29

Update Number

 2268

Supported Platforms

 idp-4.0+, isg-3.1.134269+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+

HTTP: Multiple AV Vendor Invalid Archive Checksum Bypass


This signature detects attempts against a known vulnerability in the way multiple anti-virus products scan ZIP archive files. A malicious ZIP archive containing known trojans or viruses may be downloaded and stored on the local file system without the affected product raising a warning or otherwise informing the user of a potential threat. The product in such a case exhibits ineffective and misleading behavior.

Extended Description

Multiple antivirus products from various vendors are reported prone to a vulnerability that may allow potentially malformed ZIP archives to bypass detection. This issue arises when an affected application processes a ZIP archive with an invalid CRC-32 checksum. It should be noted that affected software may possibly detect a malicious file in the archive when it is decompressed or scanned manually. The discoverer of this vulnerability has reported that this issue affects H+BEDV AntiVir, AVG Anti-Virus, Sybari Antigen for Microsoft Exchange, and products by McAfee, and BitDefender. Symantec products were not found to be vulnerable to the issue. **Update: Symantec believes that the impact of this issue is low. This is because an archive handler processing an archive that possesses a corrupt CRC-32 checksum will fail, reporting that the archive is corrupt. This would mean that a malicious file contained in such an archive would not be directly accessible to a target recipient user. Alternatively, if the CRC-32 checksum is corrected manually by the recipient user and the file is extracted, it will likely be detected by client-side Anti-Virus solutions during the file extraction routine. This detection will likely occur before the malicious file is directly processed by the end user.

Affected Products

  • AVG AVG Anti-Virus 7.1.308
  • H+BEDV AntiVir Windows Workstation 6.30.0 .0.5
  • McAfee VirusScan 4.0.0
  • McAfee VirusScan 4.0.3
  • McAfee VirusScan 4.5.0
  • McAfee VirusScan 4.5.1
  • Softwin BitDefender 7.0.0
  • Sybari Software Antigen for Exchange 7.5.1314
  • Symantec AntiVirus Corporate Edition 8.0.0 1
  • Symantec AntiVirus Corporate Edition 8.0.0 1.425a/b
  • Symantec AntiVirus Corporate Edition 8.0.0 1.429c
  • Symantec AntiVirus Corporate Edition 8.0.0 1.501
  • Symantec AntiVirus Corporate Edition 8.0.0 1.9374
  • Symantec AntiVirus Corporate Edition 8.0.0 1.9378
  • Symantec Norton AntiVirus Corporate Edition 8.0.0

References

  • BugTraq: 12771

Site Map
RSS Feeds
Careers
Accessibility
Feedback
Privacy Policy
Legal Notices
Copyright © 1999-2010 Juniper Networks, Inc. All rights reserved.
Help
|
My Account
|
Log Out