Background Print only logo
Cert logo
på svenska | in English
www.viestintävirasto.fi
Etusivu | Varoitukset | Tietoturva nyt! | Haavoittuvuudet | Ohjeet | Katsaukset | Palvelut | Esitykset |

Kyberturvallisuuskeskus

PL 313
00181 Helsinki

Mediayhteydenotot puhelimitse:
0295 390 248

Salausavaimet

Viestintävirasto

Itämerenkatu 3 A
00180 HELSINKI
Puhelinvaihde: 0295 390 100

Tarkat yhteystiedot

Tietoa evästeistä

Kyberturvallisuuskeskus Facebookissa

Etusivu > Haavoittuvuudet > CERT-FI and CPNI Joint Vulnerability Advisory on Archive Formats

CERT-FI and CPNI Joint Vulnerability Advisory on Archive Formats

Vulnerability Research in Archive Formats

Version Information

Advisory Reference CERT-FI: 20469
CPNI: 072928
CERT/CC: VU#813451
Release Date 17 March 2008 12:00 UTC
Last Revision 6 August 2009
Version Number 1.3
CVEs:


Acknowledgement

The Test Suite was provided by the Oulu University Secure Programming Group (OUSPG) at
the University of Oulu in Finland.

What is Affected?

The vulnerabilities described in this advisory can potentially affect programs that handle
the archive formats ACE, ARJ, BZ2, CAB, GZ, LHA, RAR, TAR, ZIP and ZOO.

The Test Suite contains a set of fuzzed archive files in different formats, some of which
may cause and some that are known to cause problems in common tools processing archived
content. These include:

* Content inspection products such as anti-virus and stateful firewalls
* Encryption products (VPN, PGP)
* Backup software
* Office programs
* Operating systems and libraries

Impact

The impact of this research varies by vendor. Please see the 'Vendor Information'
section below for further information. Alternatively, contact your vendor for product
specific information.

The impact from vulnerabilities identified as part of this research, can potentially
expose Denial-of-Service (DoS) and/or buffer overflow conditions. In some cases, it may
even be possible for an attacker to execute code on the affected system.

Severity

The severity of this research varies by vendor. Please see the 'Vendor Information'
section below for further information. Alternatively, contact your vendor for product
specific information.

Summary

The University of Oulu Security Programming Group (OUSPG) has been working on a piece of
research, known as the PROTOS Genome Project (GENOME), since January 2005. The objective
of GENOME was an attempt to test the implementations of arbitrary, possibly unknown,
protocols by using model assisted fuzzing to generate test materials.

As part of GENOME, OUSPG began looking at archive formats. These formats are typically
used to archive files and directories and compress them into smaller, compact packages
that can then be stored or transmitted via various media in a convenient and economical
manner.

During the initial research on archive formats, OUSPG identified that most
implementations evaluated failed to perform in a robust manner. Some failures had security
implications and hence should be identified as vulnerabilities.

In order to ensure products that support these formats are robust to any vulnerabilities
that may be discovered as part of this research, the Test Suite was made available to
multiple vendors so that they could use it to test their implementations.

Details


Archive formats are typically used to perform one of the following functions:

(1) To hold one or more archived files. Most archive formats are also capable of storing
folders in order to reconstruct the file/folder relationship when extracted.

(2) To compress one or more files and folders into a single file for backup or transport.

These formats, which includes extensions such as ACE, ARJ, BZ2, CAB, GZ, LHA, RAR, TAR, ZIP
and ZOO, are usually platform-independent and are supported by a variety of implementations,
including many anti-virus products.

It is for this reason that archive formats were chosen as the subject of further
investigation as part of PROTOS GENOME. In this approach, a set of valid files is first
collected, then a program is used to analyse the structure of these files, yielding a rough
model of the underlying file format. This model is then used to generate similar
files, which often have modifications that would be extremely unlikely to appear in a
valid file.

Usually programs should simply report that the files are invalid and resume operation in a
controlled manner. However behaviour such as program termination, altered behaviour and
infinite loops can indicate unintentional, and in many cases, exploitable errors.

The test material can be found at the following URL:

http://www.ee.oulu.fi/research/ouspg/protos/testing/c10/archive/

Mitigation

Please refer to the 'Vendor Information' section of this advisory for platform specific
mitigation.

Solution

Please refer to the 'Vendor Information' section of this advisory for platform specific
remediation.

Vendor Information

Vendor Vulnerable?
Fixed version or URL
7-zip Yes
4.5.7

Aladdin

Not Vulnerable


AOL
Unknown
Apple
Yes http://support.apple.com/kb/HT3757
Astaro Yes
http://up2date.astaro.com/2008/08/up2date_asg_v7300_ga_released.html
Avaya Yes http://support.avaya.com/elmodocs2/security/ASA-2008-404.htm
BeCubed Unknown
bzip2 Yes
1.0.5 http://www.bzip.org/CHANGES
Checkpoint Unknown
Cisco Unknown
Citrix Not Vulnerable
ClamAV

Yes

0.93 http://svn.clamav.net/svn/clamav-devel/trunk/ChangeLog
https://www.clamav.net/bugzilla/show_bug.cgi?id=897
https://www.clamav.net/bugzilla/show_bug.cgi?id=898
ConeXware Unknown
Crossbeam Systems Unknown
Debian Yes

http://www.debian.org/security/2008/dsa-1455

Entrust Unknown
Ericsson Unknown
ESTsoft Unknown
Eazel Unknown
F-Secure Yes

http://www.f-secure.com/security/fsc-2008-2.shtml

FreeBSD Yes

http://www.securityspace.com/smysecure/catid.html?id=60833
http://www.securityspace.com/smysecure/catid.html?id=60632
http://security.freebsd.org/advisories/FreeBSD-SA-07:05.libarchive.asc

Gentoo Yes

http://security.gentoo.org/glsa/glsa-200708-03.xml
http://www.gentoo.org/security/en/glsa/glsa-200804-02.xml
http://security.gentoo.org/glsa/glsa-200805-19.xml
http://security.gentoo.org/glsa/glsa-200903-40.xml

Gfi Not Vulnerable
Google Unknown
Grisoft Unknown
HP Unknown
IBM Unknown
Inner Media Unknown
Insta Unknown
IPCop
Yes http://www.ipcop.org/index.php?name=News&file=article&sid=40
Isode Unknown
Kaspersky Yes Version data not available. Updated versions are fixed.
Kolab
Yes
http://kolab.org/security/kolab-vendor-notice-20.txt
lbzip2 Yes 0.03 http://freshmeat.net/projects/lbzip2/releases/283292
Libarchive
Yes
http://people.freebsd.org/~kientzle/libarchive/
Mandriva
Yes
http://www.mandriva.com/security/advisories?name=MDVSA-2008:075
http://www.mandriva.com/security/advisories?name=MDVSA-2008:088
McAfee Yes https://knowledge.mcafee.com/article/456/615178_f.SAL_Public.html
Microsoft Not Vulnerable
Mozilla Unknown
NetBSD
Yes
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-004.txt.asc
Nixu Oy Unknown
Nokia Unknown
Nortel Unknown
Oracle Not Vulnerable
Python Unknown
RARLAB Yes
3.71
Red Hat
Yes http://rhn.redhat.com/errata/RHSA-2008-0893.html
https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00165.html
https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00225.html
https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00576.html
https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00625.html
https://www.redhat.com/archives/fedora-package-announce/2008-May/msg00249.html
Rising Antivirus Unknown
rPath Linux
Yes http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0118
S60Zip Not Vulnerable
Secgo Not Vulnerable
Siemens Unknown
Slackware
Yes
http://www.slackware.org/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.473263
SonicWALL Unknown
Sophos Yes
http://www.sophos.com/support/knowledgebase/article/50611.html
Sourcefire Unknown
SUSE Yes

http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00009.html
http://lists.opensuse.org/opensuse-security-announce/2008-05/msg00000.html
http://www.novell.com/linux/security/advisories/2007_15_sr.html

Stonesoft Unknown
Sun Microsystems Yes
http://sunsolve.sun.com/search/document.do?assetkey=1-66-241786-1
Symantec Not Vulnerable
TeamF1 Unknown
TightVNC Unknown
Ubuntu
Yes
http://www.ubuntulinux.org/usn/usn-590-1
VeriSign Unknown
VmWare
Yes
http://kb.vmware.com/kb/1006982
http://kb.vmware.com/kb/1007198
http://kb.vmware.com/kb/1007504

WinGate Unknown
WinZip Unknown
Wind River
Unknown

Vendor Statements

Aladdin

No statement at this time

Apple

Our tests did not indicate any problems in Apple software running the test cases provided.

bzip2

One test case has been found to cause problems with bzip2. It has been fixed in version 1.0.5.

Citrix

No statement at this time

F-Secure

Several products from F-Secure Corporation are vulnerability to the issue described in CERT-FI: 20469, CPNI: 072928, CERT/CC: VU#813451. Patches for the vulnerability have been published, and distributed automatically to end-users for all products that support automatic patching. More information about potential impact, affected products and available patches can be found in the advisory FSC-2008-2 located at http://www.f-secure.com/security/fsc-2008-2.shtml.

Gfi

No statement at this time

Microsoft

No statement at this time

Oracle

No statement at this time

RARLAB

Potential problems were found in WinRAR 3.70 code for almost all formats included in the test suite except ZOO, which is not supported by WinRAR. RARLAB did not investigate exploitability and severity of found problems. All potential problems were fixed regardless of their severity. All these fixes were included in WinRAR 3.71.

S60Zip

S60Zip uses the API provided by the platform to decompress .zip files.

Secgo

No statement at this time

Symantec

We have done extensive testing against your test suite. We have verified that none of our products are vulnerable.

Credits

CERT-FI and the CPNI Vulnerability Team would like to thank OUSPG for making the Test Suite available to vendors.

CERT-FI and the CPNI Vulnerability Team would also like to thank the vendors for their co-operation and to JPCERT/CC for co-ordinating this issue in Japan.

Contact Information

CERT-FI Vulnerability Coordination can be contacted as follows:

Email:
vulncoord@ficora.fi
Please quote the advisory reference in the subject line

Telephone:
+358 9 6966 510
Monday - Friday 08:00 - 16:15 (EET: UTC+2)

Fax :
+358 9 6966 515

Post:
Vulnerability Coordination
FICORA/CERT-FI
P.O. Box 313
FI-00181 Helsinki
FINLAND

CERT-FI encourages those who wish to communicate via email to make use of our PGP key. The key is available at https://www.cert.fi/en/activities/contact/pgp-keys.html

The CPNI Vulnerability Management Team can be contacted as follows:

Email:
VulTeam@cpni.gsi.gov.uk
Please quote the advisory reference in the subject line

Telephone :
+44 (0)870 487 0748 Ext 4511
Monday - Friday 08:30 - 17:00

Fax:
+44 (0)870 487 0749

Post:
Vulnerability Management Team
CPNI
PO Box 60628
London
SW1P 1HA

We encourage those who wish to communicate via email to make use of our PGP key. The key is available at http://www.cpni.gov.uk/key.aspx.

Please note that UK government protectively marked material should not be sent to the email address above.

If you wish to be added to our email distribution list please email your request to infosec@cpni.gov.uk.


What are CERT-FI and CPNI?

For further information regarding the Finnish National CERT Team, CERT-FI, please visit http://www.cert.fi/en/index.html

For further information regarding the Centre for the Protection of National Infrastructure, please visit http://www.cpni.gov.uk.

Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI. The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes.

Neither shall CPNI accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this notice.

© 2008 Crown Copyright

Sivua päivitetty 07.08.2009   Tulostusversio Tulostusversio