SYNTHESIS OF THE VULNERABILITY

An attacker can create a RAR, CAB or ZIP archive containing a virus which is not detected by Trend Micro.

Severity: 2/4

Consequences: data flow

Provenance: document

Means of attack: no proof of concept, no attack

Ability of attacker: expert (4/4)

Confidence: confirmed by the editor (5/5)

Diffusion of the vulnerable configuration: high (3/3)

Number of vulnerabilities in this bulletin: 3

Creation date: 30/04/2009

IMPACTED PRODUCTS

 Trend Micro Internet Security
 Trend Micro InterScan Messaging Security Suite
 Trend Micro InterScan Web Security Suite
 Trend Micro ScanMail
 Trend Micro ServerProtect

DESCRIPTION OF THE VULNERABILITY

Trend Micro products detect viruses contained in RAR, CAB and ZIP archives.

However, an attacker can create a slightly malformed archive, which can still be opened by Unrar/Unzip tools, but which cannot be opened by the antivirus.

Depending on Trend Micro product, these archives are handled in three ways:

OfficeScan and ServerProtect are vulnerable when Unrar/Unzip extracts the file on the desktop computer. These products are thus vulnerable when installed on a scan server. [grav:2/4]

InterScan Web Security Suite and InterScan Messaging Security quarantine the file by default. These products are vulnerable if the administrator changed the default configuration. [grav:2/4]

ScanMail does not indicate that the unscanned archive potentially contains a virus. This product is vulnerable in its default configuration. [grav:2/4]

An attacker can therefore create a RAR, CAB or ZIP archive containing a virus which is not detected by Trend Micro.

CHARACTERISTICS

Identifiers: BID-34763, TZO-17-2009, VIGILANCE-VUL-8683

http://vigilance.fr/vulnerability/Trend-Micro-bypassing-via-RAR-CAB-and-ZIP-8683