Title: Multiple Vendor File Scanner Malicious Archive DoS Vulnerability
Severity: MODERATE
Description:
A wide range of products exists for scanning enterprise email and filesystems for files containing viruses and other undesirable content.
These products handle compressed files by temporarily unzipping them and scanning the uncompressed contents.
Recent discussions on the vuln-dev mailing list have examined the potential for attackers to create malicious archives whose structure interferes with the operation of systems scanning email traffic for viruses and other restricted material.
It is possible to construct an archive with an unusually high compression ratio, resulting in a small file which grows to extreme size when uncompressed.
When a scanner process unpacks such an archive to examine its contents, the resulting file may be so large that it consumes significant amounts of available disk space (potentially many gigabytes).
Further, such archives may be deliberately constructed to contain large numbers of compressed files, which may be further nested in such a way that the final number of decompressed files may be extremely large, potentially in the millions or higher.
If an email scanner is configured to recursively open and scan such nested archives, the depth to which archives have been nested may result in an exhaustion of CPU resources, available file handles, etc.
It should be noted that this vulnerability is not limited to a specific compression format; any compressed archive format supported by the scanner is a potential vector of attack.
Sophos and NAI have reported that their scanning products are not vulnerable to this type of attack. Further information on vulnerable products will be added when it becomes available.
Affected Products:
- Baltimore Technologies MAILsweeper for SMTP 4.2.1
- F-Secure Anti-Virus 5.0.2
- F-Secure Anti-Virus 5.2.1
References:
- Baltimore Technologies: Potential Threat from the “Zip of Deathâ€
- The Register: John Leyden: DoS risk from Zip of death attacks on AV software?
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
