Release mode: Coordinated but limited disclosure.
Ref         : TZO-182009 - Mcafee multiple generic evasions
Vendor      : http://www.mcafee.com      
Status      : Patched
CVE         : CVE-2009-1348 (provided by mcafee)
https://kc.mcafee.com/corporate/index?page=content&id=SB10001&actp=LIST_RECENT

Security notification reaction rating : very good
Notification to patch window : +-27 days (Eastern holidays in between)

Disclosure Policy :  http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products :

  • McAfee VirusScan® Plus 2009
  • McAfee Total Protection™ 2009
  • McAfee Internet Security
  • McAfee VirusScan USB
  • McAfee VirusScan Enterprise
  • McAfee VirusScan Enterprise Linux
  • McAfee VirusScan Enterprise for SAP
  • McAfee VirusScan Enterprise for Storage
  • McAfee VirusScan Commandline
  • Mcafee SecurityShield for Microsoft ISA Server
  • Mcafee Security for Microsoft Sharepoint
  • Mcafee Security for Email Servers
  • McAfee Email Gateyway
  • McAfee Total Protection for Endpoint
  • McAfee Active Virus Defense
  • McAfee Active VirusScan

It is unkown whether SaaS were affected (tough likely) :
  • McAfee Email Security Service
  • McAfee Total Protection Service Advanced

I. Background
Quote: "McAfee proactively secures systems and networks from known and as yet undiscovered threats worldwide. Home users, businesses, service providers, government agencies, and our partners all trust
our unmatched security expertise and have confidence in our comprehensive and proven solutions to effectively block attacks and prevent disruptions."

II. Description
The parsing engine can be bypassed by a specially crafted and formatted RAR (Headflags and Packsize),ZIP (Filelength) archive.

III. Impact
A general description of the impact and nature of AV Bypasses/evasions can be read at :
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

The bug results in denying the engine the possibility to inspect code within RAR and ZIP archives. There is no inspection of the content at all and hence the impossibility to detect malicious code.


IV. Disclosure timeline
DD/MM/YYYY
  • 04/04/2009 : Send proof of concept RAR I, description the terms under which I cooperate and the planned disclosure date
  • 06/04/2009 : Send proof of concept RAR II, description the terms under which I cooperate and the planned disclosure date 
  • 06/04/2009 : Mcafee acknowledges receipt and reproduction of RAR I, acknowledges receipt of RARII 
  • 10/04/2009 : Send proof of concept ZIP I, description the terms under which I cooperate and the planned disclosure date
  • 21/04/2009 : Mcafee provides CVE number CVE-2009-1348 
  • 28/04/2009 : Mcafee informs me that the patch might be released on the 29th
  • 29/04/2009 : Mcafee confirms patch release and provides URL
    https://kc.mcafee.com/corporate/index?page=content&id=SB10001&actp=LIST_RECENT 
  • 29/04/2009 : Ask for affected versions
  • 29/04/2009 : Mcafee replies " This issue does affect all vs engine products, including  both gateway and endpoint"

0 comments

Post a Comment