Anti-Virus Library Vulnerability

31 May 04:40

NetSec has identified multiple remotely exploitable flaws that may negatively impact the security posture of systems worldwide. This alert is designed to increase awareness of a vulnerability affecting applications relying on the Computer Associates 'Vet' anti-virus library. The prevalence of security software products leveraging this component in corporate and government computing environments has increased the severity level to "High".

A serious vulnerability has been found within the Computer Associates (CA) 'Vet' anti-virus library component, shipped with several security applications. When exploited, this vulnerability may allow a remote attacker to execute arbitrary system commands in the context of user running software utilising the vulnerable AV library.

The heap overflow vulnerability within the "VetE.dll" library component can be triggered when the affected software is called to scan a Microsoft OLE (object linking and embedding) object within an arbitrary file stream. Examples of file types which may contain OLE objects include Microsoft Office (Microsoft Word, PowerPoint, Excel, etc.) documents and locally-stored or cached Hypertext (HTML) content. This vulnerability can therefore be leveraged through a number of attack vectors, which involve a malicious file being placed on, or passed through a system with anti-virus software to scan OLE objects using the "Vet" library.

Due to the nature of products affected by the vulnerability, NetSec believes that the most likely attack vector is via the attachment of specially crafted files to e-mail messages. Such messages may target both e-mail servers and systems running anti-virus software configured to scan incoming email messages.

The following software packages are known to be affected by this issue:

Zone Labs - ZoneAlarm Security Suite
Zone Labs - ZoneAlarm Antivirus
Computer Associates
- InoculateIT 6.0 (all platforms including Notes/Exchange)
- eTrust Antivirus r6.0 all platforms including Notes/Exchange
- eTrust Antivirus r7.0 all platforms including Notes/Exchange
- eTrust Antivirus r7.1 all platforms including Notes/Exchange
- eTrust Antivirus for the Gateway r7.0 all modules and platforms
- eTrust Antivirus for the Gateway r7.1 all modules and platforms
- eTrust Secure Content Manager all releases
- eTrust Intrusion Detection all releases
- BrightStor ARCserve Backup (BAB) r11.1 Windows
- Vet Antivirus

The following products are reported not vulnerable to this issue:

Computer Associates - eTrust EZ Armor 3.1
Computer Associates - Vet Antivirus 11.9.1

Users of vulnerable products listed above are strongly recommended to update their systems at the earliest opportunity. NetSec also recommends that customers also ensure that remote office users and frequent travellers, who connect into their corporate infrastructure, prioritize updates to their systems. The most effective mitigation of emerging threats that may leverage this vulnerability is to ensure that official vendor patches have been applied.

Due to the nature of the vulnerability, the threat may be effectively mitigated, but not remediated through the use of Microsoft Windows XP Service Pack 2 with DEP (Data Execution Prevention) enabled. It should be noted that several methods for defeating the XP Service Pack 2 software-based DEP have been developed by the malicious code community, but widespread examples in automated threats have not been identified. The software-based DEP mitigation should be considered a temporary workaround until the vendor patch can be applied.

Related links: (Open in a new window.)
www.rem0te.com/public/images/vet.pdf
www.netsec.net/content/index.jsp

Taken from Information Security Bulletin.