Sign-up

ID

VAR-200502-0003


CVE

CVE-2004-0937


TITLE

Anti-virus software may not properly scan malformed zip archives

Trust: 0.8

sources: CERT/CC: VU#968818

DESCRIPTION

Sophos Anti-Virus before 3.87.0, and Sophos Anti-Virus for Windows 95, 98, and Me before 3.88.0, allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system. Anti-virus software may rely on corrupted headers to determine if a zip archive is valid. As a result, anti-virus software may fail to detect malicious content within a zip archive. Multiple Vendor Antivirus applications are reported vulnerable to a zip file detection evasion vulnerability. This vulnerability may allow maliciously crafted zip files to avoid being scanned and detected. The malicious archive can bypass the protection provided by a vulnerable antivirus program, giving users a false sense of security. If the user opens and executes the file, this attack can result in a malicious code infection. This issue is reported to affected products offered by McAfee, Computer Associates, Kaspersky, Sophos, Eset and RAV. Latest antivirus products by Symantec, Bitdefender, Trend Micro and Panda are not vulnerable to this issue. Many anti-virus vendors have problems when processing .zip files. Remote attackers can use this vulnerability to embed malicious code to bypass the inspection of anti-virus software. The problem lies in the analysis of the header field of the .zip file. The information stored in the compressed file in the .zip file format is divided into two parts, one is the local (local) header field, and the other is the global (global) header field. Local header field data exists before the compressed data file, while global fields exist at the end of the .zip file. Attackers can modify the uncompressed byte size value of the archive file in the local and global header field information without affecting the function, but many antivirus vendors' software cannot handle such archive files well. If the compressed payload contains malicious code, it cannot be detected

Trust: 1.98

sources: NVD: CVE-2004-0937 // CERT/CC: VU#968818 // BID: 11448 // VULHUB: VHN-9367

AFFECTED PRODUCTS

vendor:susemodel:linuxscope:eqversion:9.2

Trust: 1.6

vendor:sophosmodel:small business suitescope:eqversion:1.0

Trust: 1.3

vendor:sophosmodel:puremessage anti-virusscope:eqversion:4.6

Trust: 1.3

vendor:sophosmodel:anti-virusscope:eqversion:3.86

Trust: 1.3

vendor:sophosmodel:anti-virusscope:eqversion:3.85

Trust: 1.3

vendor:sophosmodel:anti-virusscope:eqversion:3.84

Trust: 1.3

vendor:sophosmodel:anti-virusscope:eqversion:3.83

Trust: 1.3

vendor:sophosmodel:anti-virusscope:eqversion:3.82

Trust: 1.3

vendor:sophosmodel:anti-virusscope:eqversion:3.81

Trust: 1.3

vendor:sophosmodel:anti-virusscope:eqversion:3.80

Trust: 1.3

vendor:sophosmodel:anti-virusscope:eqversion:3.79

Trust: 1.3

vendor:sophosmodel:anti-virusscope:eqversion:3.78

Trust: 1.3

vendor:sophosmodel:anti-virusscope:eqversion:3.4.6

Trust: 1.3

vendor:mcafeemodel:antivirus enginescope:eqversion:4.3.20

Trust: 1.3

vendor:gentoomodel:linuxscope:eqversion:1.4

Trust: 1.3

vendor:broadcommodel:etrust antivirus gatewayscope:eqversion:7.1

Trust: 1.0

vendor:rav antivirusmodel:desktopscope:eqversion:8.6

Trust: 1.0

vendor:sophosmodel:anti-virusscope:eqversion:3.78d

Trust: 1.0

vendor:broadcommodel:etrust antivirusscope:eqversion:7.1

Trust: 1.0

vendor:broadcommodel:etrust ez armorscope:eqversion:2.3

Trust: 1.0

vendor:kaspersky labmodel:anti-virusscope:eqversion:5.0

Trust: 1.0

vendor:rav antivirusmodel:for file serversscope:eqversion:1.0

Trust: 1.0

vendor:kaspersky labmodel:anti-virusscope:eqversion:3.0

Trust: 1.0

vendor:esetmodel:nod32 antivirusscope:eqversion:1.0.12

Trust: 1.0

vendor:broadcommodel:etrust secure content managerscope:eqversion:1.1

Trust: 1.0

vendor:kaspersky labmodel:anti-virusscope:eqversion:4.0

Trust: 1.0

vendor:mandrakesoftmodel:mandrake linuxscope:eqversion:10.1

Trust: 1.0

vendor:esetmodel:nod32 antivirusscope:eqversion:1.0.13

Trust: 1.0

vendor:broadcommodel:etrust ez antivirusscope:eqversion:6.2

Trust: 1.0

vendor:broadcommodel:etrust antivirus gatewayscope:eqversion:7.0

Trust: 1.0

vendor:rav antivirusmodel:for mail serversscope:eqversion:8.4.2

Trust: 1.0

vendor:broadcommodel:etrust intrusion detectionscope:eqversion:1.4.1.13

Trust: 1.0

vendor:broadcommodel:etrust antivirusscope:eqversion:7.0

Trust: 1.0

vendor:broadcommodel:etrust secure content managerscope:eqversion:1.0

Trust: 1.0

vendor:gentoomodel:linuxscope:eqversion:*

Trust: 1.0

vendor:broadcommodel:etrust intrusion detectionscope:eqversion:1.5

Trust: 1.0

vendor:broadcommodel:etrust ez armorscope:eqversion:2.4

Trust: 1.0

vendor:esetmodel:nod32 antivirusscope:eqversion:1.0.11

Trust: 1.0

vendor:broadcommodel:etrust ez antivirusscope:eqversion:6.1

Trust: 1.0

vendor:broadcommodel:brightstor arcserve backupscope:eqversion:11.1

Trust: 1.0

vendor:broadcommodel:inoculateitscope:eqversion:6.0

Trust: 1.0

vendor:broadcommodel:etrust intrusion detectionscope:eqversion:1.4.5

Trust: 1.0

vendor:broadcommodel:etrust ez antivirusscope:eqversion:6.3

Trust: 1.0

vendor:broadcommodel:etrust ez armorscope:eqversion:2.0

Trust: 1.0

vendor:camodel:etrust antivirusscope:eqversion:7.0_sp2

Trust: 1.0

vendor:camodel:etrust secure content managerscope:eqversion:1.0

Trust: 1.0

vendor:archive zipmodel:archive zipscope:eqversion:1.13

Trust: 1.0

vendor:sophosmodel:anti-virus dscope:eqversion:3.78

Trust: 0.3

vendor:s u s emodel:linux personalscope:eqversion:9.2

Trust: 0.3

vendor:ravmodel:antivirus rav antivirus for mail serversscope:eqversion:8.4.2

Trust: 0.3

vendor:ravmodel:antivirus rav antivirus for file serversscope:eqversion:1.0

Trust: 0.3

vendor:ravmodel:antivirus rav antivirus desktopscope:eqversion:8.6

Trust: 0.3

vendor:mandrivamodel:linux mandrake x86 64scope:eqversion:10.1

Trust: 0.3

vendor:mandrivamodel:linux mandrakescope:eqversion:10.1

Trust: 0.3

vendor:kasperskymodel:labs antivirus scanning enginescope:eqversion:5.0

Trust: 0.3

vendor:kasperskymodel:labs antivirus scanning enginescope:eqversion:4.0

Trust: 0.3

vendor:kasperskymodel:labs antivirus scanning enginescope:eqversion:3.0

Trust: 0.3

vendor:gentoomodel:linuxscope: - version: -

Trust: 0.3

vendor:esetmodel:nod32 antivirusscope:eqversion:1.013

Trust: 0.3

vendor:esetmodel:nod32 antivirusscope:eqversion:1.012

Trust: 0.3

vendor:esetmodel:nod32 antivirusscope:eqversion:1.011

Trust: 0.3

vendor:computermodel:associates inoculateitscope:eqversion:6.0

Trust: 0.3

vendor:computermodel:associates etrust secure content managerscope:eqversion:1.1

Trust: 0.3

vendor:computermodel:associates etrust secure content manager sp1scope:eqversion:1.0

Trust: 0.3

vendor:computermodel:associates etrust secure content managerscope:eqversion:1.0

Trust: 0.3

vendor:computermodel:associates etrust intrusion detectionscope:eqversion:1.5

Trust: 0.3

vendor:computermodel:associates etrust intrusion detectionscope:eqversion:1.4.5

Trust: 0.3

vendor:computermodel:associates etrust intrusion detectionscope:eqversion:1.4.1.13

Trust: 0.3

vendor:computermodel:associates etrust ez armorscope:eqversion:2.4

Trust: 0.3

vendor:computermodel:associates etrust ez armorscope:eqversion:2.3

Trust: 0.3

vendor:computermodel:associates etrust ez armorscope:eqversion:2.0

Trust: 0.3

vendor:computermodel:associates etrust ez antivirusscope:eqversion:6.3

Trust: 0.3

vendor:computermodel:associates etrust ez antivirusscope:eqversion:6.2

Trust: 0.3

vendor:computermodel:associates etrust ez antivirusscope:eqversion:6.1

Trust: 0.3

vendor:computermodel:associates etrust antivirus for the gatewayscope:eqversion:7.1

Trust: 0.3

vendor:computermodel:associates etrust antivirus for the gatewayscope:eqversion:7.0

Trust: 0.3

vendor:computermodel:associates etrust antivirusscope:eqversion:7.1

Trust: 0.3

vendor:computermodel:associates etrust antivirus sp2scope:eqversion:7.0

Trust: 0.3

vendor:computermodel:associates etrust antivirusscope:eqversion:7.0

Trust: 0.3

vendor:computermodel:associates brightstor arcserve backup for windowsscope:eqversion:11.1

Trust: 0.3

vendor:archive zipmodel:archive::zipscope:eqversion:1.13

Trust: 0.3

vendor:archive zipmodel:archive::zipscope:neversion:1.14

Trust: 0.3

sources: BID: 11448 // CNNVD: CNNVD-200502-042 // NVD: CVE-2004-0937

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2004-0937
value: HIGH

Trust: 1.0

CARNEGIE MELLON: VU#968818
value: 7.59

Trust: 0.8

CNNVD: CNNVD-200502-042
value: HIGH

Trust: 0.6

VULHUB: VHN-9367
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2004-0937
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

VULHUB: VHN-9367
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CERT/CC: VU#968818 // VULHUB: VHN-9367 // CNNVD: CNNVD-200502-042 // NVD: CVE-2004-0937

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2004-0937

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200502-042

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-200502-042

EXPLOIT AVAILABILITY

sources:
            
            
            VULHUB: VHN-9367

PATCH
title:Many anti-virus vendors software Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=146859
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-200502-042

EXTERNAL IDS
db:CERT/CCid:VU#968818
Trust: 2.5
db:NVDid:CVE-2004-0937
Trust: 2.0
db:BIDid:11448
Trust: 2.0
db:CNNVDid:CNNVD-200502-042
Trust: 0.7
db:EXPLOIT-DBid:629
Trust: 0.1
db:VULHUBid:VHN-9367
Trust: 0.1
sources:
            
            
            CERT/CC: VU#968818 // 
            
            
            
            VULHUB: VHN-9367 // 
            
            
            
            BID: 11448 // 
            
            
            
            CNNVD: CNNVD-200502-042 // 
            
            
            
            NVD: CVE-2004-0937

REFERENCES
url:http://www.securityfocus.com/bid/11448
Trust: 1.7
url:http://www.kb.cert.org/vuls/id/968818
Trust: 1.7
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/17761
Trust: 1.7
url:http://www.idefense.com/application/poi/display?id=153&type=vulnerabilities&flashstatus=true
Trust: 1.6
url:http://www.linuxsecurity.com/advisories/gentoo_advisory-5043.html
Trust: 0.8
url:http://rt.cpan.org/noauth/bug.html?id=8077
Trust: 0.8
url:http://www.idefense.com/application/poi/display?id=153
Trust: 0.8
url:http://download.mcafee.com/uk/updates/updates.asp
Trust: 0.3
url:http://www.nod32.com/
Trust: 0.3
url:http://www.kaspersky.com/
Trust: 0.3
url:http://www.ravantivirus.com/
Trust: 0.3
url:http://www.sophos.com/
Trust: 0.3
url:http://supportconnectw.ca.com/public/ca_common_docs/arclib_vuln.asp
Trust: 0.3
url:/archive/1/378660
Trust: 0.3
url:http://www.idefense.com/application/poi/display?id=153&type=vulnerabilities&flashstatus=true
Trust: 0.1
sources:
            
            
            CERT/CC: VU#968818 // 
            
            
            
            VULHUB: VHN-9367 // 
            
            
            
            BID: 11448 // 
            
            
            
            CNNVD: CNNVD-200502-042 // 
            
            
            
            NVD: CVE-2004-0937

CREDITS
iDEFENSE Security Advisory※ labs@idefense.com
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-200502-042

SOURCES
db:CERT/CCid:VU#968818
db:VULHUBid:VHN-9367
db:BIDid:11448
db:CNNVDid:CNNVD-200502-042
db:NVDid:CVE-2004-0937

LAST UPDATE DATE
2024-08-14T13:51:14.269000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#968818date:2005-01-14T00:00:00
db:VULHUBid:VHN-9367date:2017-07-11T00:00:00
db:BIDid:11448date:2009-07-12T08:06:00
db:CNNVDid:CNNVD-200502-042date:2021-04-08T00:00:00
db:NVDid:CVE-2004-0937date:2021-04-09T17:00:09.303

SOURCES RELEASE DATE
db:CERT/CCid:VU#968818date:2004-12-10T00:00:00
db:VULHUBid:VHN-9367date:2005-02-09T00:00:00
db:BIDid:11448date:2004-10-18T00:00:00
db:CNNVDid:CNNVD-200502-042date:2004-10-15T00:00:00
db:NVDid:CVE-2004-0937date:2005-02-09T05:00:00