Detections
Analytics

ClamAV < 0.95.2 Multiple Scan Evasion Vulnerabilities

medium Nessus Plugin ID 39437

Language:

Synopsis

The remote antivirus service is vulnerable to a file scan evasion attack.

Description

According to its version, the clamd antivirus daemon on the remote host is earlier than 0.95.2. Such versions are reportedly affected by multiple scan evasion vulnerabilities :

 - An attacker could bypass antivirus detection by embedding malicious code in a specially crafted 'CAB', 'RAR', or 'ZIP' archive.

 - Due to an issue in 'libclamav/mbox.c', an attacker can bypass antivirus detection by sending a UTF-16 encoded email.

 - Due to an issue in 'libclamav/readdb.c', certain signatures that should be rejected are able to bypass detection.

Solution

Upgrade to ClamAV 0.95.2 or later.

See Also

http://blog.zoller.lu/2009/05/advisory-clamav-generic-bypass.html

https://seclists.org/bugtraq/2009/Jun/170

https://bugzilla.clamav.net/show_bug.cgi?id=1573

https://bugzilla.clamav.net/show_bug.cgi?id=1615

Plugin Details

Severity: Medium

ID: 39437

File Name: clamav_0_95_2.nasl

Version: 1.20

Type: remote

Family: Misc.

Published: 6/17/2009

Updated: 11/15/2018

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Vulnerability Information

CPE: cpe:/a:clamav:clamav

Required KB Items: Settings/ParanoidReport, Antivirus/ClamAV/version

Exploit Ease: No known exploits are available

Reference Information

BID: 35398, 35410, 35426