Release mode: Coordinated but limited disclosure.
Ref         : TZO-082009 - Bitdefender Evasion CAB
Vendor      : http://www.bitdefender.com       
Security notification reaction rating : Good
Notification to patch time window : 1 day (!)

Interesting background statistics:
Time required to coordinate disclosure and write the advisory : 2 hours
Time required to find the bug : 10 minutes

Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products :

- Bitdefender Antivirus 2009 (pre update 13/04/2009)
- Bitdefender Internet Security 2009 (pre update 13/04/2009)
- Bitdefender Total Security 2009 (pre update 13/04/2009)
- Bitdefender Small Office Security (pre update 13/04/2009)
- Bitdefender for Fileservers (pre update 13/04/2009)
- Bitdefender for Samba (pre update 13/04/2009)
- Bitdefender for Sharepoint (pre update 13/04/2009)
- Bitdefender Security for Exchange (pre update 13/04/2009)
- Bitdefender Security for Mailservers (pre update 13/04/2009)
- Bitdefender for ISA Servers (pre update 13/04/2009)
- Bitdefender Client security (pre update 13/04/2009)

Bundles:
- BitDefender Business Security (pre update 13/04/2009)
- Bitdefender Antivirus for Unices (pre update 13/04/2009)
- Bitdefender Corporate Security (pre update 13/04/2009)
- Bitdefender SBS Security (pre update 13/04/2009)

I. Background
Quote: "BitDefender™ provides security solutions to satisfy the protection requirements of today's computing environment, delivering effective threat management for over 41 million home and corporate users in more than 100 countries. BitDefender, a division of SOFTWIN, is headquartered in Bucharest, Romania and has offices in Tettnang, Germany, Barcelona, United Kingdom, Denmark, Spain and Fort Lauderdale (FL), USA."

II. Description
The parsing engine can be bypassed by a specially crafted and formatted CAB archive. Details are currently withheld due to other vendors that are in process of deploying patches.

III. Impact

A general description of the impact and nature of AV Bypasses/evasions can be read at :
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

The bug results in denying the engine the possibility to inspect code within the CAB archive. There is no inspection of the content at all.


IV. Disclosure time line
  • 13/04/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date  

  • 14/04/2009 : Bitdefender responds that the problem was fixed by an automatic update on the 13/04/2009

  • 16/04/2009 : Asked what product line and version has been affected and a CVE number.         

  • 15/04/2009 : Bitdefender states that "All  our  products are affected  by this problem. We don't have a CVE number".

  • 17/04/2009 : Release of this advisory

0 comments

Post a Comment