Details of VAR-201203-0367

ID

VAR-201203-0367

CVE

CVE-2012-1443

TITLE

Multiple products RAR Vulnerability that prevents file parsers from detecting malware

Trust: 0.8

sources: JVNDB: JVNDB-2012-001895

DESCRIPTION

The RAR file parser in ClamAV 0.96.4, Rising Antivirus 22.83.00.03, Quick Heal (aka Cat QuickHeal) 11.00, G Data AntiVirus 21, AVEngine 20101.3.0.103 in Symantec Endpoint Protection 11, Command Antivirus 5.2.11.5, Ikarus Virus Utilities T3 Command Line Scanner 1.1.97.0, Emsisoft Anti-Malware 5.1.0.1, PC Tools AntiVirus 7.0.3.5, F-Prot Antivirus 4.6.2.117, VirusBuster 13.6.151.0, Fortinet Antivirus 4.2.254.0, Antiy Labs AVL SDK 2.0.3.7, K7 AntiVirus 9.77.3565, Trend Micro HouseCall 9.120.0.1004, Kaspersky Anti-Virus 7.0.0.125, Jiangmin Antivirus 13.0.900, Antimalware Engine 1.1.6402.0 in Microsoft Security Essentials 2.0, Sophos Anti-Virus 4.61.0, NOD32 Antivirus 5795, Avira AntiVir 7.11.1.163, Norman Antivirus 6.06.12, McAfee Anti-Virus Scanning Engine 5.400.0.1158, Panda Antivirus 10.0.2.7, McAfee Gateway (formerly Webwasher) 2010.1C, Trend Micro AntiVirus 9.120.0.1004, Comodo Antivirus 7424, Bitdefender 7.2, eSafe 7.0.17.0, F-Secure Anti-Virus 9.0.16160.0, nProtect Anti-Virus 2011-01-17.01, AhnLab V3 Internet Security 2011.01.18.00, AVG Anti-Virus 10.0.0.1190, avast! Antivirus 4.8.1351.0 and 5.0.677.0, and VBA32 3.12.14.2 allows user-assisted remote attackers to bypass malware detection via a RAR file with an initial MZ character sequence. NOTE: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different RAR parser implementations. Multiple products RAR A file parser contains a vulnerability that can prevent malware detection. Different RAR If it is announced that there is also a problem with the parser implementation, this vulnerability can be CVE May be split.By the attacker, MZ Has a character sequence starting with RAR Malware detection may be avoided via files. Successful exploits will allow attackers to bypass on-demand virus scanning, possibly allowing malicious files to escape detection. Sophos Anti-Virus is a set of anti-virus software for various operating systems from Sophos, UK. The software detects and removes viruses, spyware, trojans and worms in real time, ensuring comprehensive network protection for desktops and laptops. Multiple file-parsing vulnerabilities leading to evasion in different antivirus(AV) products. All affected products are command-line versions of the AVs. ---------------------------- Vulnerability Descriptions ---------------------------- 1. Specially crafted infected POSIX TAR files with "[aliases]" as first 9 bytes evades detection. Affected products - ClamAV 0.96.4, CAT-QuickHeal 11.00 CVE no - CVE-2012-1419 2. Specially crafted infected POSIX TAR files with "\7fELF" as first 4 bytes evades detection. Affected products - CAT-QuickHeal 11.00, Command 5.2.11.5, F-Prot 4.6.2.117, Fortinent 4.2.254.0, K7AntiVirus 9.77.3565, Kaspersky 7.0.0.125, Microsoft 1.6402, NOD32 5795, Norman 6.06.12, Panda 10.0.2.7, Rising 22.83.00.03 CVE no - CVE-2012-1420 3. Specially crafted infected POSIX TAR files with "MSCF" as first 4 bytes evades detection. Affected products - CAT-QuickHeal 11.00, Norman 6.06.12, Rising 22.83.00.03, Symantec 20101.3.0.103 CVE no - CVE-2012-1421 4. Specially crafted infected POSIX TAR files with "ITSF" as first 4 bytes evades detection. Affected products - CAT-QuickHeal 11.00, NOD32 5795, Norman 6.06.12, Rising 22.83.00.03 CVE no - CVE-2012-1422 5. Specially crafted infected POSIX TAR files with "MZ" as first 2 bytes evades detection. Affected products - Command 5.2.11.5, Emsisoft 5.1.0.1, F-Prot 4.6.2.117, Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, K7AntiVirus 9.77.3565, NOD32 5795, Norman 6.06.12, PCTools 7.0.3.5, Rising 22.83.00.03, VirusBuster 13.6.151.0 CVE no - CVE-2012-1423 6. Specially crafted infected POSIX TAR files with "\19\04\00\10" at offset 8 evades detection. Affected products - Antiy-AVL 2.0.3.7, CAT-QuickHeal 11.00, Jiangmin 13.0.900, Norman 6.06.12, PCTools 7.0.3.5, Sophos 4.61.0 CVE no - CVE-2012-1424 7. Specially crafted infected POSIX TAR files with "\50\4B\03\04" as the first 4 bytes evades detection. Affected products - AntiVir 7.11.1.163, Antiy-AVL 2.0.3.7, CAT-QuickHeal 11.00, Emsisoft 5.1.0.1, Fortinet 4.2.254.0, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, NOD32 5795, Norman 6.06.12, PCTools 7.0.3.5, Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004 CVE no - CVE-2012-1425 8. Specially crafted infected POSIX TAR files with "\42\5A\68" as the first 3 bytes evades detection. Affected products - CAT-QuickHeal 11.00, Command 5.2.11.5, F-Prot 4.6.2.117, K7AntiVirus 9.77.3565, Norman 6.06.12, Rising 22.83.00.03 CVE no - CVE-2012-1426 9. Specially crafted infected POSIX TAR files with "\57\69\6E\5A\69\70" at offset 29 evades detection. Affected products - CAT-QuickHeal 11.00, Norman 6.06.12, Sophos 4.61.0 CVE no - CVE-2012-1427 10. Specially crafted infected POSIX TAR files with "\4a\46\49\46" at offset 6 evades detection. Affected products - CAT-QuickHeal 11.00, Norman 6.06.12, Sophos 4.61.0 CVE no - CVE-2012-1428 11. Specially crafted infected ELF files with "ustar" at offset 257 evades detection. Affected products - BitDefender 7.2, Comodo 7424, Emsisoft 5.1.0.1, eSafe 7.0.17.0, F-Secure 9.0.16160.0, Ikarus T3.1.1.97.0, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, nProtect 2011-01-17.01 CVE no - CVE-2012-1429 12. Specially crafted infected ELF files with "\19\04\00\10" at offset 8 evades detection. Affected products - BitDefender 7.2, Comodo 7424, eSafe 7.0.17.0, F-Secure 9.0.16160.0, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, nProtect 2011-01-17.01, Sophos 4.61.0, Rising 22.83.00.03 CVE no - CVE-2012-1430 13. Specially crafted infected ELF files with "\4a\46\49\46" at offset 6 evades detection. Affected products - BitDefender 7.2, Command 5.2.11.5, Comodo 7424, eSafe 7.0.17.0, F-Prot 4.6.2.117, F-Secure 9.0.16160.0, McAfee-GW-Edition 2010.1C, nProtect 2011-01-17.01, Sophos 4.61.0, Rising 22.83.00.03 CVE no - CVE-2012-1431 14. Specially crafted infected MS EXE files with "\57\69\6E\5A\69\70" at offset 29 evades detection. Affected products - Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1432 15. Specially crafted infected MS EXE files with "\4a\46\49\46" at offset 6 evades detection. Affected products - AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1433 16. Specially crafted infected MS EXE files with "\19\04\00\10" at offset 8 evades detection. Affected products - AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1434 17. Specially crafted infected MS EXE files with "\50\4B\4C\49\54\45" at offset 30 evades detection. Affected products - AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1435 18. Specially crafted infected MS EXE files with "\2D\6C\68" at offset 2 evades detection. Affected products - AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1436 19. Specially crafted infected MS Office files with "\50\4B\53\70\58" at offset 526 evades detection. Affected products - Comodo 7425 CVE no - CVE-2012-1437 20. Specially crafted infected MS Office files with "ustar" at offset 257 evades detection. Affected products - Comodo 7425, Sophos 4.61.0 CVE no - CVE-2012-1438 21. 'padding' field in ELF files is parsed incorrectly. If an infected ELF file's padding field is incremented by 1 it evades detection. Affected products - eSafe 7.0.17.0, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1439 22. 'identsize' field in ELF files is parsed incorrectly. If an infected ELF file's identsize field is incremented by 1 it evades detection. Affected products - Norman 6.06.12, eSafe 7.0.17.0, eTrust-Vet 36.1.8511, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1440 23. 'e_ip' and 'e_res' field in MS EXE files are parsed incorrectly. If any of these fields in an infected MS EXE file is incremented by 1 it evades detection. Affected products - Prevx 3.0 'e_minalloc', 'e_res2','e_cparhdr', 'e_crlc', 'e_lfarlc','e_maxalloc', 'e_oeminfo', 'e_ovno', 'e_cs', 'e_csum','e_sp', 'e_ss', 'e_cblp' and 'e_oemid' fields in MS EXE files are parsed incorrectly. If any of these fields in an infected MS EXE file is incremented by 1 it evades detection. Affected products - eSafe 7.0.017.0, Prevx 3.0 CVE no - CVE-2012-1441 24. 'class' field in ELF files is parsed incorrectly. If an infected ELF file's class field is incremented by 1 it evades detection. Affected products - CAT-QuickHeal 11.00, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, eSafe 7.0.017.0, Kaspersky 7.0.0.125, F-Secure 9.0.16160.0, Sophos 4.61.0, Antiy-AVL 2.0.3.7, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1442 25. Infected RAR files with initial two bytes set to 'MZ' can be fixed by the user and correctly extracted. Such a file evades detection. Affected products - ClamAV 0.96.4, Rising 22.83.00.03, CAT-QuickHeal 11.00, GData 21, Symantec 20101.3.0.103, Command 5.2.11.5, Ikarus T3.1.1.97.0, Emsisoft 5.1.0.1, PCTools 7.0.3.5, F-Prot 4.6.2.117, VirusBuster 13.6.151.0, Fortinent 4.2.254.0, Antiy-AVL 2.0.3.7, K7AntiVirus 9.77.3565, TrendMicro-HouseCall 9.120.0.1004,Kaspersky 7.0.0.125 Jiangmin 13.0.900. Microsoft 1.6402, Sophos 4.61.0, NOD32 5795, AntiVir 7.11.1.163, Norman 6.06.12, McAfee 5.400.0.1158, Panda 10.0.2.7, McAfee-GW-Edition 2010.1C, TrendMicro 9.120.0.1004, Comodo 7424, BitDefender 7.2, eSafe 7.0.17.0, F-Secure 9.0.16160.0 nProtect 2011-01-17.01, AhnLab-V3 2011.01.18.00, AVG 10.0.0.1190, Avast 4.8.1351.0, Avast5 5.0.677.0, VBA32 3.12.14.2 CVE no - CVE-2012-1443 26. 'abiversion' field in ELF files is parsed incorrectly. If an infected ELF file's abiversion field is incremented by 1 it evades detection. Affected products - eSafe 7.0.017.0, Prevx 3.0, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1444 27. 'abi' field in ELF files is parsed incorrectly. If an infected ELF file's abi field is incremented by 1 it evades detection. Affected products - eSafe 7.0.017.0, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1445 28. 'encoding' field in ELF files is parsed incorrectly. If an infected ELF file's encoding field is incremented by 1 it evades detection. Affected products - CAT-QuickHeal 11.00, McAfee 5.400.0.1158, Symantec 20101.3.0.103, Norman 6.06.12, eSafe 7.0.017.0, Kaspersky 7.0.0.125, McAfee-GW-Edition 2010.1C, Sophos 4.61.0, eTrust-Vet 36.1.8511, Antiy-AVL 2.0.3.7, PCTools 7.0.3.5, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1446 29. 'e_version' field in ELF files is parsed incorrectly. If an infected ELF file's e_version field is incremented by 1 it evades detection. Affected products - Fortinet 4.2.254.0, eSafe 7.0.017.0, DrWeb 5.0.2.03300, Panda 10.0.2.7 CVE no - CVE-2012-1447 30. 'cbCabinet' field in CAB files is parsed incorrectly. If an infected CAB file's cbCabinet field is incremented by 1 it evades detection. Affected products - CAT-QuickHeal 11.00, TrendMicro 9.120.0.1004, Ikarus T3.1.1.97.0 TrendMicro-HouseCall 9.120.0.1004, Emsisoft 5.1.0.1 CVE no - CVE-2012-1448 31. 'vMajor' field in CAB files is parsed incorrectly. If an infected CAB file's vMajor field is incremented by 1 it evades detection. Affected products - NOD32 5795, Rising 22.83.00.03 CVE no - CVE-2012-1449 32. 'reserved3' field in CAB files is parsed incorrectly. If an infected CAB file's reserved field is incremented by 1 it evades detection. Affected products - Emsisoft 5.1.0.1, Sophos 4.61.0, Ikarus T3.1.1.97.0 CVE no - CVE-2012-1450 33. 'reserved2' field in CAB files is parsed incorrectly. If an infected CAB file's reserved2 field is incremented by 1 it evades detection. Affected products - Emsisoft 5.1.0.1, Ikarus T3.1.1.97.0 CVE no - CVE-2012-1451 34. 'reserved1' field in CAB files is parsed incorrectly. If an infected CAB file's reserved field is incremented by 1 it evades detection. Affected products - Emsisoft 5.1.0.1, Ikarus T3.1.1.97.0, CAT-QuickHeal 11.00 CVE no - CVE-2012-1452 35. 'coffFiles' field in CAB files is parsed incorrectly. If an infected CAB file's coffFiles field is incremented by 1 it evades detection. Affected products - McAfee 5.0.2.03300, TrendMicro-HouseCall 9.120.0.1004, Kaspersky 7.0.0.125, Sophos 4.61.0, TrendMicro 9.120.0.1004, McAfee-GW-Edition 2010.1C, Emsisoft 5.1.0.1, eTrust-Vet 36.1.8511, Antiy-AVL 2.0.3.7, Microsoft 1.6402, Rising 22.83.00.03, Ikarus T3.1.1.97.0, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1453 36. 'ei_version' field in ELF files is parsed incorrectly. If an infected ELF file's version field is incremented by 1 it evades detection. Affected products - McAfee 5.0.02.03300, eSafe 7.0.17.0, McAfee-GW-Edition 2010.1C, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1454 37. 'vMinor' field in CAB files is parsed incorrectly. If an infected CAB file's version field is incremented by 1 it evades detection. Affected products - NOD32 5795, Rising 22.83.00.03 CVE no - CVE-2012-1455 38. A specially crafted ZIP file, created by concatenating the contents of a clean TAR archive and a virus-infected ZIP archive, is parsed incorrectly and evades detection. Affected products - AVG 10.0.0.1190, CAT-QuickHeal 11.00, Comodo 7424, Emsisoft 5.1.0.1, eSafe 7.0.17.0, F-Prot 4.6.2.117,Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, NOD32 5795, Norman 6.06.12, Panda 10.0.2.7, Rising 22.83.00.03, Sophos 4.61.0, Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004 CVE no - CVE-2012-1456 39. If the length field in the header of a file with test EICAR virus included into a TAR archive is set to be greater than the archive's total length (1,000,000+original length in our experiments), the antivirus declares the file to be clean but virus gets extracted correctly by the GNU tar program. Affected products - AntiVir 7.11.1.163, Antiy-AVL 2.0.3.7, Avast 4.8.1351.0, Avast5 5.0.677.0, AVG 10.0.0.1190, BitDefender 7.2, CAT-QuickHeal 11.00, ClamAV 0.96.4, Command 5.2.11.5, Emsisoft 5.1.0.1, eSafe 7.0.17.0, F-Prot 4.6.2.117, GData 21, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, Microsoft 1.6402, NOD32 5795, Norman 6.06.12, PCTools 7.0.3.5, Rising 22.83.00.03, Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004, VBA32 3.12.14.2, VirusBuster 13.6.151.0 CVE no - CVE-2012-1457 40. A Windows Compiled HTML Help (CHM) file is a set of HTML files, scripts, and images compressed using the LZX algorithm. For faster random accesses, the algorithm is reset at intervals instead of compressing the entire file as a single stream. The length of each interval is specified in the LZXC header. If an infected CHM file's header modified so that the reset interval is lower than in the original file, the antivirus declares the file to be clean. But the Windows CHM viewer hh.exe correctly decompresses the infected content located before the tampered header. Affected products - ClamAV 0.96.4, Sophos 4.61.0 CVE no - CVE-2012-1458 41. In a POSIX TAR archive, each member file has a 512-byte header protected by a simple checksum. Every header also contains a file length field, which is used by the extractor to locate the next header in the archive. If a TAR archive contains two files: the first one is clean, while the second is infected with test EICAR virus - and it is modified such that the length field in the header of the first, clean file to point into the middle of the header of the second, infected file. The antivirus declares the file to be clean but virus gets extracted correctly by the GNU tar program. If an infected tar.gz archive is appended 6 random bytes at the end, the antivirus declares the file to be clean but virus gets extracted by the gunzip+tar programs correctly by ignoring these bytes. Affected products - Antiy-AVL 2.0.3.7, CAT-QuickHeal 11.00, Command 5.2.11.5, eSafe 7.0.17.0, F-Prot 4.6.2.117, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, VBA32 3.12.14.2 CVE no - CVE-2012-1460 43. GZIP files can contain multiple compressed streams, which are assembled when the contents are extracted. If an infected .tar.gz file is broken into two streams, the antivirus declares the infected .tar.gz file to be clean while tar+gunzip extract the virus correctly Affected products - AVG 10.0.0.1190, BitDefender 7.2, Command 5.2.11.5, Emsisoft 5.1.0.1, F-Secure 9.0.16160.0, Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, NOD32 5795, Norman 6.06.12, Rising 22.83.00.03, Sophos 4.61.0, Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004, VBA32 3.12.14.2 CVE no - CVE-2012-1461 44. If an infected ZIP archive is prepended with 1024 random bytes at the beginning, the antivirus declares the file to be clean but virus gets extracted by the unzip program correctly by skipping these bytes Affected products - AhnLab-V3 2011.01.18.00, AVG 10.0.0.1190, CAT-QuickHeal 11.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, Kaspersky 7.0.0.125, Norman 6.06.12, Sophos 4.61.0, Symantec 20101.3.0.103 CVE no - CVE-2012-1462 45. In most ELF files, the 5th byte of the header indicates endianness: 01 for little-endian, 02 for bigendian. Linux kernel, however, does not check this field before loading an ELF file. If an infected ELF file's 5-th byte is set to 02, the antivirus declares the file to be clean but the ELF file gets executed correctly. Affected products - AhnLab-V3 2011.01.18.00, BitDefender 7.2, CAT-QuickHeal 11.00, Command 5.2.11.5, Comodo 7424, eSafe 7.0.17.0, F-Prot 4.6.2.117, F-Secure 9.0.16160.0, McAfee 5.400.0.1158, Norman 6.06.12, nProtect 2011-01-17.01, Panda 10.0.2.7 CVE no - CVE-2012-1463 -------- Credits -------- Vulnerabilities found and advisory written by Suman Jana and Vitaly Shmatikov. ----------- References ----------- "Abusing File Processing in Malware Detectors for Fun and Profit" by Suman Jana and Vitaly Shmatikov To appear in IEEE Symposium on Security and Privacy 2012 http://www.ieee-security.org/TC/SP2012/

Trust: 2.07

sources: NVD: CVE-2012-1443 // JVNDB: JVNDB-2012-001895 // BID: 52612 // VULHUB: VHN-54724 // PACKETSTORM: 110990

AFFECTED PRODUCTS

vendor:	comodo	model:	antivirus	scope:	eq	version:	7424	Trust: 2.1
vendor:	antiy	model:	avl sdk	scope:	eq	version:	2.0.3.7	Trust: 1.8
vendor:	authentium	model:	command antivirus	scope:	eq	version:	5.2.11.5	Trust: 1.8
vendor:	avg	model:	anti-virus	scope:	eq	version:	10.0.0.1190	Trust: 1.8
vendor:	bitdefender	model:	bitdefender	scope:	eq	version:	7.2	Trust: 1.8
vendor:	clamav	model:	clamav	scope:	eq	version:	0.96.4	Trust: 1.8
vendor:	emsisoft	model:	anti-malware	scope:	eq	version:	5.1.0.1	Trust: 1.8
vendor:	ikarus	model:	virus utilities t3 command line scanner	scope:	eq	version:	1.1.97.0	Trust: 1.8
vendor:	jiangmin	model:	antivirus	scope:	eq	version:	13.0.900	Trust: 1.8
vendor:	pc tools	model:	antivirus	scope:	eq	version:	7.0.3.5	Trust: 1.8
vendor:	virusbuster	model:	virusbuster	scope:	eq	version:	13.6.151.0	Trust: 1.8
vendor:	aladdin	model:	esafe	scope:	eq	version:	7.0.17.0	Trust: 1.8
vendor:	f secure	model:	f-secure anti-virus	scope:	eq	version:	9.0.16160.0	Trust: 1.8
vendor:	kaspersky	model:	anti-virus	scope:	eq	version:	7.0.0.125	Trust: 1.8
vendor:	sophos	model:	anti-virus	scope:	eq	version:	4.61.0	Trust: 1.8
vendor:	fortinet	model:	antivirus	scope:	eq	version:	4.2.254.0	Trust: 1.8
vendor:	microsoft	model:	security essentials	scope:	eq	version:	2.0	Trust: 1.8
vendor:	mcafee	model:	scan engine	scope:	eq	version:	5.400.0.1158	Trust: 1.8
vendor:	symantec	model:	endpoint protection	scope:	eq	version:	11.0	Trust: 1.6
vendor:	alwil	model:	avast antivirus	scope:	eq	version:	5.0.677.0	Trust: 1.0
vendor:	alwil	model:	avast antivirus	scope:	eq	version:	4.8.1351.0	Trust: 1.0
vendor:	ahnlab	model:	v3 internet security	scope:	eq	version:	2011.01.18.00	Trust: 1.0
vendor:	trendmicro	model:	trend micro antivirus	scope:	eq	version:	9.120.0.1004	Trust: 1.0
vendor:	gdata	model:	g data antivirus	scope:	eq	version:	21	Trust: 1.0
vendor:	rising global	model:	antivirus	scope:	eq	version:	22.83.00.03	Trust: 1.0
vendor:	k7computing	model:	antivirus	scope:	eq	version:	9.77.3565	Trust: 1.0
vendor:	eset	model:	nod32 antivirus	scope:	eq	version:	5795	Trust: 1.0
vendor:	anti virus	model:	vba32	scope:	eq	version:	3.12.14.2	Trust: 1.0
vendor:	nprotect	model:	antivirus	scope:	eq	version:	2011-01-17.01	Trust: 1.0
vendor:	pandasecurity	model:	panda antivirus	scope:	eq	version:	10.0.2.7	Trust: 1.0
vendor:	mcafee	model:	gateway	scope:	eq	version:	2010.1c	Trust: 1.0
vendor:	norman	model:	antivirus \& antispyware	scope:	eq	version:	6.06.12	Trust: 1.0
vendor:	trendmicro	model:	housecall	scope:	eq	version:	9.120.0.1004	Trust: 1.0
vendor:	cat	model:	quick heal	scope:	eq	version:	11.00	Trust: 1.0
vendor:	f prot	model:	f-prot antivirus	scope:	eq	version:	4.6.2.117	Trust: 1.0
vendor:	avira	model:	antivir	scope:	eq	version:	7.11.1.163	Trust: 1.0
vendor:	avast s r o	model:	anti-virus	scope:	eq	version:	4.8.1351.0	Trust: 0.8
vendor:	avast s r o	model:	anti-virus	scope:	eq	version:	5.0.677.0	Trust: 0.8
vendor:	avira	model:	antivirus	scope:	eq	version:	7.11.1.163	Trust: 0.8
vendor:	rising	model:	antivirus	scope:	eq	version:	22.83.00.03	Trust: 0.8
vendor:	eset	model:	nod32 anti-virus	scope:	eq	version:	5795	Trust: 0.8
vendor:	frisk	model:	f-prot antivirus	scope:	eq	version:	4.6.2.117	Trust: 0.8
vendor:	g data	model:	antivirus	scope:	eq	version:	21	Trust: 0.8
vendor:	k7 computing	model:	antivirus	scope:	eq	version:	9.77.3565	Trust: 0.8
vendor:	norman	model:	antivirus	scope:	eq	version:	6.06.12	Trust: 0.8
vendor:	nprotect	model:	anti-virus	scope:	eq	version:	2011-01-17.01	Trust: 0.8
vendor:	panda security	model:	antivirus	scope:	eq	version:	10.0.2.7	Trust: 0.8
vendor:	virusblokada	model:	vba32	scope:	eq	version:	3.12.14.2	Trust: 0.8
vendor:	unlab	model:	v3 internet security	scope:	eq	version:	2011.01.18.00	Trust: 0.8
vendor:	quick heal k k	model:	heal	scope:	eq	version:	11.00	Trust: 0.8
vendor:	symantec	model:	endpoint protection	scope:	eq	version:	11	Trust: 0.8
vendor:	trend micro	model:	antivirus	scope:	eq	version:	9.120.0.1004	Trust: 0.8
vendor:	trend micro	model:	housecall	scope:	eq	version:	9.120.0.1004	Trust: 0.8
vendor:	mcafee	model:	web gateway software	scope:	eq	version:	2010.1c	Trust: 0.8
vendor:	virusblokada	model:	vba32	scope:	eq	version:	3.12.142	Trust: 0.3
vendor:	trend micro	model:	virusbuster	scope:	eq	version:	13.6.1510	Trust: 0.3
vendor:	trend micro	model:	trend micro	scope:	eq	version:	9.1201004	Trust: 0.3
vendor:	trend micro	model:	housecall	scope:	eq	version:	9.1201004	Trust: 0.3
vendor:	symantec	model:	antivirus	scope:	eq	version:	20101.3103	Trust: 0.3
vendor:	sophos	model:	anti-virus	scope:	eq	version:	4.61	Trust: 0.3
vendor:	rising	model:	antivirus	scope:	eq	version:	22.8303	Trust: 0.3
vendor:	quick heal	model:	cat-quickheal	scope:	eq	version:	11.00	Trust: 0.3
vendor:	pctools	model:	antivirus	scope:	eq	version:	7.0.35	Trust: 0.3
vendor:	panda	model:	antivirus	scope:	eq	version:	10.0.27	Trust: 0.3
vendor:	norman	model:	antivirus	scope:	eq	version:	6.6.12	Trust: 0.3
vendor:	mcafee	model:	mcafee-gw-edition 2010.1c	scope:	-	version:	-	Trust: 0.3
vendor:	k7	model:	computing pvt ltd k7antivirus	scope:	eq	version:	9.77.3565	Trust: 0.3
vendor:	inca	model:	nprotect	scope:	eq	version:	2011-01-17.01	Trust: 0.3
vendor:	ikarus	model:	antivirus t3.1.1.97.0	scope:	-	version:	-	Trust: 0.3
vendor:	g	model:	data software gdata	scope:	eq	version:	21	Trust: 0.3
vendor:	frisk	model:	software f-prot antivirus	scope:	eq	version:	4.6.2117	Trust: 0.3
vendor:	fortinet	model:	antivirus	scope:	eq	version:	4.2.2540	Trust: 0.3
vendor:	f secure	model:	antivirus	scope:	eq	version:	9.0.16160.0	Trust: 0.3
vendor:	eset	model:	nod32	scope:	eq	version:	5795	Trust: 0.3
vendor:	esafe	model:	antivirus	scope:	eq	version:	7.0.170	Trust: 0.3
vendor:	emsisoft	model:	antivirus	scope:	eq	version:	5.11	Trust: 0.3
vendor:	bitdefender	model:	antivirus	scope:	eq	version:	7.2	Trust: 0.3
vendor:	avira	model:	antivir engine	scope:	eq	version:	7.11.1163	Trust: 0.3
vendor:	avg	model:	anti-virus	scope:	eq	version:	10.01190	Trust: 0.3
vendor:	avast	model:	avast5 antivirus	scope:	eq	version:	5.0.6770	Trust: 0.3
vendor:	avast	model:	antivirus	scope:	eq	version:	4.8.1351.0	Trust: 0.3
vendor:	authentium	model:	command antivirus	scope:	eq	version:	5.2.115	Trust: 0.3
vendor:	antiy	model:	antiy-avl	scope:	eq	version:	2.0.37	Trust: 0.3
vendor:	ahnlab	model:	engine	scope:	eq	version:	v32011.01.18.00	Trust: 0.3

sources: BID: 52612 // JVNDB: JVNDB-2012-001895 // CNNVD: CNNVD-201203-407 // NVD: CVE-2012-1443

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2012-1443
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2012-1443
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201203-407
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-54724
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2012-1443
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-54724
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-54724 // JVNDB: JVNDB-2012-001895 // CNNVD: CNNVD-201203-407 // NVD: CVE-2012-1443

PROBLEMTYPE DATA

problemtype:

CWE-264

Trust: 1.9

sources: VULHUB: VHN-54724 // JVNDB: JVNDB-2012-001895 // NVD: CVE-2012-1443

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201203-407

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201203-407

CONFIGURATIONS

sources: JVNDB: JVNDB-2012-001895

PATCH

title:	AVL SDK	url:	http://www.antiy.net/en/avlsdk.html	Trust: 0.8
title:	Command Antivirus	url:	http://www.authentium.com/command/CSAVDownload.html	Trust: 0.8
title:	Top Page	url:	https://www.avast.co.jp/index	Trust: 0.8
title:	AVG Anti-Virus	url:	http://www.avgjapan.com/home-small-office-security/buy-antivirus	Trust: 0.8
title:	Top Page	url:	http://www.avira.com/	Trust: 0.8
title:	Top Page	url:	http://www.rising-global.com/	Trust: 0.8
title:	Top Page	url:	http://www.bitdefender.com/	Trust: 0.8
title:	Top Page	url:	http://www.clamav.net/lang/en/	Trust: 0.8
title:	Comodo Antivirus	url:	http://www.comodo.com/home/internet-security/antivirus.php	Trust: 0.8
title:	Emsisoft Anti-Malware	url:	http://www.emsisoft.com/en/software/antimalware/	Trust: 0.8
title:	ESET NOD32アンチウイルス	url:	http://www.eset.com/us/	Trust: 0.8
title:	Top Page	url:	http://www.fortinet.com/	Trust: 0.8
title:	Top Page	url:	http://www.f-prot.com/	Trust: 0.8
title:	Top Page	url:	http://www.gdata.co.jp/	Trust: 0.8
title:	IKARUS virus.utilities	url:	http://www.ikarus.at/en/ngo-gov/products/virus_utilities/index.html	Trust: 0.8
title:	Jiangmin Antivirus	url:	http://global.jiangmin.com/	Trust: 0.8
title:	K7 AntiVirus	url:	http://www.k7computing.com/en/Product/k7-antivirusplus.php	Trust: 0.8
title:	MacAfee Scan Engine	url:	http://www.mcafee.com/us/support/support-eol-scan-engine.aspx	Trust: 0.8
title:	Top Page	url:	http://www.norman.com/	Trust: 0.8
title:	nProtect Anti-Virus	url:	http://global.nprotect.com/product/avs.php	Trust: 0.8
title:	Top Page	url:	http://www.ps-japan.co.jp/	Trust: 0.8
title:	PC Tools AntiVirus	url:	http://www.pctools.com/jp/spyware-doctor-antivirus/	Trust: 0.8
title:	Top Page	url:	http://www.quickheal.com/	Trust: 0.8
title:	Endpoint Protection	url:	http://www.symantec.com/ja/jp/endpoint-protection	Trust: 0.8
title:	Top Page	url:	http://jp.trendmicro.com/jp/home/	Trust: 0.8
title:	Trend Micro HouseCall	url:	http://jp.trendmicro.com/jp/tools/housecall/	Trust: 0.8
title:	Top Page	url:	http://anti-virus.by/en	Trust: 0.8
title:	Top Page	url:	http://www.virusbuster.hu/en	Trust: 0.8
title:	eSafe	url:	http://www.aladdin.co.jp/esafe/	Trust: 0.8
title:	V3 Internet Security	url:	http://www.ahnlab.co.jp/product_service/product/b2b/v3is8.asp	Trust: 0.8
title:	Kaspersky Anti-Virus	url:	http://www.kaspersky.com/kaspersky_anti-virus	Trust: 0.8
title:	Top Page	url:	http://www.sophos.com	Trust: 0.8
title:	Microsoft Security Essentials	url:	http://windows.microsoft.com/ja-JP/windows/products/security-essentials	Trust: 0.8
title:	McAfee Web Gateway	url:	http://www.mcafee.com/japan/products/web_gateway.asp	Trust: 0.8
title:	F-Secure Anti-Virus	url:	http://www.f-secure.com/ja/web/home_jp/protection/anti-virus/overview	Trust: 0.8

sources: JVNDB: JVNDB-2012-001895

EXTERNAL IDS

db:	NVD	id:	CVE-2012-1443	Trust: 2.9
db:	BID	id:	52612	Trust: 1.4
db:	OSVDB	id:	80469	Trust: 1.1
db:	OSVDB	id:	80461	Trust: 1.1
db:	OSVDB	id:	80454	Trust: 1.1
db:	OSVDB	id:	80455	Trust: 1.1
db:	OSVDB	id:	80467	Trust: 1.1
db:	OSVDB	id:	80468	Trust: 1.1
db:	OSVDB	id:	80471	Trust: 1.1
db:	OSVDB	id:	80456	Trust: 1.1
db:	OSVDB	id:	80459	Trust: 1.1
db:	OSVDB	id:	80472	Trust: 1.1
db:	OSVDB	id:	80470	Trust: 1.1
db:	OSVDB	id:	80457	Trust: 1.1
db:	OSVDB	id:	80460	Trust: 1.1
db:	OSVDB	id:	80458	Trust: 1.1
db:	JVNDB	id:	JVNDB-2012-001895	Trust: 0.8
db:	CNNVD	id:	CNNVD-201203-407	Trust: 0.7
db:	BUGTRAQ	id:	20120319 EVASION ATTACKS EXPOLITING FILE-PARSING VULNERABILITIES IN ANTIVIRUS PRODUCTS	Trust: 0.6
db:	NSFOCUS	id:	19198	Trust: 0.6
db:	VULHUB	id:	VHN-54724	Trust: 0.1
db:	PACKETSTORM	id:	110990	Trust: 0.1

sources: VULHUB: VHN-54724 // BID: 52612 // JVNDB: JVNDB-2012-001895 // PACKETSTORM: 110990 // CNNVD: CNNVD-201203-407 // NVD: CVE-2012-1443

REFERENCES

url:	http://www.securityfocus.com/archive/1/522005	Trust: 1.7
url:	http://www.ieee-security.org/tc/sp2012/program.html	Trust: 1.7
url:	http://www.securityfocus.com/bid/52612	Trust: 1.1
url:	http://osvdb.org/80454	Trust: 1.1
url:	http://osvdb.org/80455	Trust: 1.1
url:	http://osvdb.org/80456	Trust: 1.1
url:	http://osvdb.org/80457	Trust: 1.1
url:	http://osvdb.org/80458	Trust: 1.1
url:	http://osvdb.org/80459	Trust: 1.1
url:	http://osvdb.org/80460	Trust: 1.1
url:	http://osvdb.org/80461	Trust: 1.1
url:	http://osvdb.org/80467	Trust: 1.1
url:	http://osvdb.org/80468	Trust: 1.1
url:	http://osvdb.org/80469	Trust: 1.1
url:	http://osvdb.org/80470	Trust: 1.1
url:	http://osvdb.org/80471	Trust: 1.1
url:	http://osvdb.org/80472	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-1443	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2012-1443	Trust: 0.8
url:	http://www.nsfocus.net/vulndb/19198	Trust: 0.6
url:	http://seclists.org/bugtraq/2012/mar/88	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2012-1419	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2012-1439	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2012-1426	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2012-1429	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2012-1436	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2012-1440	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2012-1432	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2012-1438	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2012-1428	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2012-1446	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2012-1443	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2012-1444	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2012-1441	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2012-1421	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2012-1430	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2012-1434	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2012-1435	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2012-1424	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2012-1431	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2012-1425	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2012-1423	Trust: 0.1
url:	http://www.ieee-security.org/tc/sp2012/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2012-1442	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2012-1422	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2012-1433	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2012-1420	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2012-1427	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2012-1445	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2012-1437	Trust: 0.1

sources: VULHUB: VHN-54724 // BID: 52612 // JVNDB: JVNDB-2012-001895 // PACKETSTORM: 110990 // CNNVD: CNNVD-201203-407 // NVD: CVE-2012-1443

CREDITS

Suman Jana and Vitaly Shmatikov

Trust: 0.3

sources: BID: 52612

SOURCES

db:	VULHUB	id:	VHN-54724
db:	BID	id:	52612
db:	JVNDB	id:	JVNDB-2012-001895
db:	PACKETSTORM	id:	110990
db:	CNNVD	id:	CNNVD-201203-407
db:	NVD	id:	CVE-2012-1443

LAST UPDATE DATE

2024-11-23T21:46:28.266000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-54724	date:	2012-11-06T00:00:00
db:	BID	id:	52612	date:	2015-03-19T08:41:00
db:	JVNDB	id:	JVNDB-2012-001895	date:	2012-03-26T00:00:00
db:	CNNVD	id:	CNNVD-201203-407	date:	2012-04-01T00:00:00
db:	NVD	id:	CVE-2012-1443	date:	2024-11-21T01:36:59.753

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-54724	date:	2012-03-21T00:00:00
db:	BID	id:	52612	date:	2012-03-20T00:00:00
db:	JVNDB	id:	JVNDB-2012-001895	date:	2012-03-26T00:00:00
db:	PACKETSTORM	id:	110990	date:	2012-03-19T23:51:01
db:	CNNVD	id:	CNNVD-201203-407	date:	2012-03-26T00:00:00
db:	NVD	id:	CVE-2012-1443	date:	2012-03-21T10:11:48.083