Avast! - Generic evasion (Limited details)
| 0 comments ]

Release mode: Forced release, vendor has not replied.
Ref : TZO-092009 - AVAST Generic Evasion
Vendor : http://www.avast.com

Security notification reaction rating : Catastrophic - Once woken up:ok

Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products :

- Known engine version to be affected - prior and post VPS:090409-0

Update : After the reaction from avast, it is clear that all versions and products are affected, however there is no plan to patch. I recommend that existing customers that care about their overall security posture (enterprise) should contact avast and ask for a patch. You are encouraged to read the time line and draw your own conclusions.

Desktop Protection
  • avast! 4 Professional (impact low, reason real-time protection)
  • avast! 4 Home Edition (impact low, reason real-time protection)
  • avast! Pro Family pack (impact low, reason real-time protection)
  • avast! WHS Edition (impact low, reason real-time protection)
  • avast! Mac Edition (impact unknown)
  • avast! Linux Home Edition (impact unknown)
  • avast! U3 Edition (impact unknown)
  • avast! 4 BART CD (impact unknown)
  • avast! for PDA (impact unknown)
Corporate Protection
  • avast! 4 Server Edition(impact high, complete bypass)
  • avast! 4 Server Edition Plug-ins
  • avast! 4 Exchange Server Edition (impact high, complete bypass)
  • avast! 4 ISA Server Edition (impact high, complete bypass)
  • avast! 4 SharePoint Server Edition (impact high, complete bypass)
  • avast! 4 SMTP Server Edition (impact high, complete bypass)
  • avast! 4 Lotus Domino Edition (impact high, complete bypass)
  • avast! Distributed Network Manager (impact high, complete bypass)
  • avast! 4 Professional (impact unknown)
  • avast! 4 BART CD (impact unknown)
  • avast! for Linux/Unix Server (impact high, complete bypass)
  • avast! for PDA (impact unknown)
  • Net.Purum (impact unknown)
OEM
  • Copperfasten - Mail Firewall Appliance
  • TN North Software - Interner Anywhere eMailServer
  • IceWarp Software - Merak Email Server
  • SmartMax Software, Inc. - MailMax Server
  • NetWin Software - SurgeMail Email Server
  • Hexamail Ltd. - Hexamail Guard - Antivirus option
  • Bains Digital - Defender MX

I. Background

Quote: "Comprehensive network security solution for corporate customers certified and tested by ICSA and Checkmark. It provides complete server and desktop virus protection."


II. Description

The parsing engine can be bypassed by a specially crafted and formated RAR archive. Details are currently witheld.


III. Impact
A general description of the impact and nature of AV Bypasses/evasions can be read at :
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

The bug results in denying the engine the possibility to inspect code within the RAR archive. There is no inspection of the content at all.


IV. Disclosure timeline
  • 14/03/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date. There is no security adress listed at [1] and hence took the industry standard security contacts addresses secure@ and security@. secure@avast.de, secure@alwil.com, security@alwil.com security@avast.de security@avast.com

    No reply.
  • 10/04/2009 : Resending specifying this is the last attempt to disclose reponsibly. This time two known contact adresses that were previously used to report vulnerabilities were used: secalert@avast.com, vlk@avast.com

    No reply.

  • 17/04/2009 : Release of this advisory and begin of grace period.

  • 17/04/2009 : Avast replies quoting the mail sent on the 14/03/2009 and claims that this is a non issue because the POC would not correctly decompress.

  • 17/04/2009: Reply that the POC works as expected and asked why there has been no reaction to previous notifications.

    No reply.
  • 20/04/2009: Asked for patch time line and affected version

  • 20/04/2009: Avast replies that all versions and all product ranges are affected, however "There's currently no plan to release a special patch for this as our risk assessment makes it a very low priority issue."
Addendum :
It is the responsibility of the vendor to make sure security addresses are available, known and communicated. Addresses given by avast simply bounce :
  • For secure@avast.com, [Site (avast.com/195.47.75.55) said: 550 5.1.1 secure@avast.com... User unknown]
  • For secalert@avast.com, [Site (avast.com/195.47.75.55) said: 550 5.1.1 secalert@avast.com... User unknown]
Avast is surely able to assess their *business risk* i.e the risk to loose customers and money; however I doubt avast can the entire cumulated risk their customers that run avast code in specific environments. What Avast should matter about is the impact it has on their application. The primary goal of an AV application is to detect malicious code, if this can be easily and comfortably evaded they are not that useful any more on gateways are they? A bug should not be rated by it technical aspects or how hard it is to be found, but should be rated by the impact, case by case.


[1] http://osvdb.org/vendor/1/ALWIL%20Software



0 comments

Post a Comment