Title: Multiple Vendor Anti-Virus Gateway Failure To Decode Base64 Encoded Image Weakness
Severity: HIGH
Description:
Multiple vendor anti-virus gateway products are reported prone to a security weakness that could lead to a false sense of security. It is reported that the affected anti-virus gateways do not decode base64-encoded images that are contained in 'data' URIs.
A remote attacker may exploit this weakness to obfuscate malicious images, for example a JPEG image that is designed to exploit the vulnerability reported in BID 11173 (Microsoft GDI+ Library JPEG Segment Length Integer Underflow Vulnerability). The image will be supplied to a target user using a 'data' URI contained in an IMG tag as follows:
<img src="data:image/gif;base64, %encoded image data%">
A malicious image that is obfuscated in this manner will bypass the affected anti-virus scanner; the image will be rendered in the browser of a target user when the malicious page is viewed. It is reported that because Microsoft Internet Explorer does not fully support the 'data' URI, Internet Explorer cannot be used as an attack vector to exploit this weakness.
This weakness may lead to a false sense of security where a network administrator believes that the affected product will detect malicious images designed to trigger a target vulnerability. In reality, the images may be obfuscated by an attacker and may not be detected.
Affected Products:
- ALT Linux ALT Linux Compact 2.3.0
- ALT Linux ALT Linux Junior 2.3.0
- Check Point Software FireWall-1 R55 HFA08 with SmartDefense
- Clam Anti-Virus ClamAV 0.51.0
- Clam Anti-Virus ClamAV 0.52.0
- Clam Anti-Virus ClamAV 0.53.0
- Clam Anti-Virus ClamAV 0.54.0
- Clam Anti-Virus ClamAV 0.60.0
- Clam Anti-Virus ClamAV 0.65.0
- Clam Anti-Virus ClamAV 0.67.0
- Clam Anti-Virus ClamAV 0.68.0
- Clam Anti-Virus ClamAV 0.68.0 -1
- Clam Anti-Virus ClamAV 0.70.0
- Clam Anti-Virus ClamAV 0.80.0
- Clam Anti-Virus ClamAV 0.80.0 rc1
- Clam Anti-Virus ClamAV 0.80.0 rc2
- Clam Anti-Virus ClamAV 0.80.0 rc3
- Clam Anti-Virus ClamAV 0.80.0 rc4
- Clam Anti-Virus ClamAV 0.81.0
- Gentoo Linux
- Gentoo Linux 1.4.0
- Gentoo Linux 1.4.0 _rc1
- Gentoo Linux 1.4.0 _rc2
- Gentoo Linux 1.4.0 _rc3
- Internet Security Systems SiteProtector 2.0.0 SP3
- Internet Security Systems SiteProtector 2.0.4.561
- IronPort IronPort with Sophos AV Engine 3.88
- MandrakeSoft Corporate Server 3.0.0
- MandrakeSoft Corporate Server 3.0.0 x86_64
- MandrakeSoft Linux Mandrake 10.1.0
- MandrakeSoft Linux Mandrake 10.1.0 x86_64
- McAfee Webshield 3000 4.3.20
- TippingPoint Unity-One with Digital Vacine 2.0.0.2070
- Trend Micro InterScan Messaging Security Suite 3.81.0
- Trend Micro InterScan Messaging Security Suite 5.5.0
- Trend Micro WebProtect 3.1.0
References:
- ALT Linux: [security-announce] I: updated packages available
- Darren Bounds <lists intrusense com>: Multi-vendor AV gateway image inspection bypass vulnerability
- Internet RFC/STD/FYI/BCP Archives: RFC 2397 (RFC2397)
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
