Vulnerabilities > CVE-2006-6481 - Denial Of Service vulnerability in Clam Anti-Virus Clamav 0.88.6
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
Clam AntiVirus (ClamAV) 0.88.6 allows remote attackers to cause a denial of service (stack overflow and application crash) by wrapping many layers of multipart/mixed content around a document, a different vulnerability than CVE-2006-5874 and CVE-2006-6406.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1238.NASL description Several remote vulnerabilities have been discovered in the Clam anti-virus toolkit. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-6406 Hendrik Weimer discovered that invalid characters in base64 encoded data may lead to bypass of scanning mechanisms. - CVE-2006-6481 Hendrik Weimer discovered that deeply nested multipart/mime MIME data may lead to denial of service. last seen 2020-06-01 modified 2020-06-02 plugin id 23912 published 2006-12-18 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/23912 title Debian DSA-1238-1 : clamav - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1238. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(23912); script_version("1.17"); script_cvs_date("Date: 2019/08/02 13:32:20"); script_cve_id("CVE-2006-6406", "CVE-2006-6481"); script_xref(name:"DSA", value:"1238"); script_name(english:"Debian DSA-1238-1 : clamav - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several remote vulnerabilities have been discovered in the Clam anti-virus toolkit. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-6406 Hendrik Weimer discovered that invalid characters in base64 encoded data may lead to bypass of scanning mechanisms. - CVE-2006-6481 Hendrik Weimer discovered that deeply nested multipart/mime MIME data may lead to denial of service." ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-6406" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-6481" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2006/dsa-1238" ); script_set_attribute( attribute:"solution", value: "Upgrade the clamav packages. For the stable distribution (sarge) these problems have been fixed in version 0.84-2.sarge.13. For the upcoming stable distribution (etch) these problems have been fixed in version 0.88.7-1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:clamav"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2006/12/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/12/18"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/12/07"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"clamav", reference:"0.84-2.sarge.13")) flag++; if (deb_check(release:"3.1", prefix:"clamav-base", reference:"0.84-2.sarge.13")) flag++; if (deb_check(release:"3.1", prefix:"clamav-daemon", reference:"0.84-2.sarge.13")) flag++; if (deb_check(release:"3.1", prefix:"clamav-docs", reference:"0.84-2.sarge.13")) flag++; if (deb_check(release:"3.1", prefix:"clamav-freshclam", reference:"0.84-2.sarge.13")) flag++; if (deb_check(release:"3.1", prefix:"clamav-milter", reference:"0.84-2.sarge.13")) flag++; if (deb_check(release:"3.1", prefix:"clamav-testfiles", reference:"0.84-2.sarge.13")) flag++; if (deb_check(release:"3.1", prefix:"libclamav-dev", reference:"0.84-2.sarge.13")) flag++; if (deb_check(release:"3.1", prefix:"libclamav1", reference:"0.84-2.sarge.13")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family SuSE Local Security Checks NASL id SUSE_SA_2006_078.NASL description The remote host is missing the patch for the advisory SUSE-SA:2006:078 (clamav). The anti virus scan engine ClamAV has been updated to version 0.88.7 to fix various security problems: CVE-2006-5874: Clam AntiVirus (ClamAV) allows remote attackers to cause a denial of service (crash) via a malformed base64-encoded MIME attachment that triggers a NULL pointer dereference. CVE-2006-6481: Clam AntiVirus (ClamAV) 0.88.6 allowed remote attackers to cause a denial of service (stack overflow and application crash) by wrapping many layers of multipart/mixed content around a document, a different vulnerability than CVE-2006-5874 and CVE-2006-6406. CVE-2006-6406: Clam AntiVirus (ClamAV) 0.88.6 allowed remote attackers to bypass virus detection by inserting invalid characters into base64 encoded content in a multipart/mixed MIME file, as demonstrated with the EICAR test file. last seen 2019-10-28 modified 2007-02-18 plugin id 24453 published 2007-02-18 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24453 title SUSE-SA:2006:078: clamav NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200612-18.NASL description The remote host is affected by the vulnerability described in GLSA-200612-18 (ClamAV: Denial of Service) Hendrik Weimer discovered that ClamAV fails to properly handle deeply nested MIME multipart/mixed content. Impact : By sending a specially crafted email with deeply nested MIME multipart/mixed content an attacker could cause ClamAV to crash. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 23955 published 2006-12-30 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/23955 title GLSA-200612-18 : ClamAV: Denial of Service NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2008-002.NASL description The remote host is running a version of Mac OS X 10.5 or 10.4 that does not have the security update 2008-002 applied. This update contains several security fixes for a number of programs. last seen 2020-06-01 modified 2020-06-02 plugin id 31605 published 2008-03-19 reporter This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/31605 title Mac OS X Multiple Vulnerabilities (Security Update 2008-002) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_EB5124A48A2011DBB03300123FFE8333.NASL description Secunia reports : Clam AntiVirus have a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to a stack overflow when scanning messages with deeply nested multipart content. This can be exploited to crash the service by sending specially crafted emails to a vulnerable system. last seen 2020-06-01 modified 2020-06-02 plugin id 23853 published 2006-12-14 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/23853 title FreeBSD : clamav -- Multipart Nestings Denial of Service (eb5124a4-8a20-11db-b033-00123ffe8333) NASL family SuSE Local Security Checks NASL id SUSE_CLAMAV-2391.NASL description This update to ClamAV version 0.88.7 fixes various bugs : CVE-2006-5874: Clam AntiVirus (ClamAV) allows remote attackers to cause a denial of service (crash) via a malformed base64-encoded MIME attachment that triggers a NULL pointer dereference. CVE-2006-6481: Clam AntiVirus (ClamAV) 0.88.6 allowed remote attackers to cause a denial of service (stack overflow and application crash) by wrapping many layers of multipart/mixed content around a document, a different vulnerability than CVE-2006-5874 and CVE-2006-6406. CVE-2006-6406: Clam AntiVirus (ClamAV) 0.88.6 allowed remote attackers to bypass virus detection by inserting invalid characters into base64 encoded content in a multipart/mixed MIME file, as demonstrated with the EICAR test file. last seen 2020-06-01 modified 2020-06-02 plugin id 27177 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27177 title openSUSE 10 Security Update : clamav (clamav-2391) NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2006-230.NASL description The latest version of ClamAV, 0.88.7, fixes some bugs, including vulnerabilities with handling base64-encoded MIME attachment files that can lead to either a) a crash (CVE-2006-5874), or b) a bypass of virus detection (CVE-2006-6406). As well, a vulnerability was discovered that allows remote attackers to cause a stack overflow and application crash by wrapping many layers of multipart/mixed content around a document (CVE-2006-6481). The latest ClamAV is being provided to address these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 24613 published 2007-02-18 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24613 title Mandrake Linux Security Advisory : clamav (MDKSA-2006:230) NASL family SuSE Local Security Checks NASL id SUSE_CLAMAV-2390.NASL description This update to ClamAV version 0.88.7 fixes various bugs : - Clam AntiVirus (ClamAV) allows remote attackers to cause a denial of service (crash) via a malformed base64-encoded MIME attachment that triggers a NULL pointer dereference. (CVE-2006-5874) - Clam AntiVirus (ClamAV) 0.88.6 allowed remote attackers to cause a denial of service (stack overflow and application crash) by wrapping many layers of multipart/mixed content around a document, a different vulnerability than CVE-2006-5874 / CVE-2006-6406. (CVE-2006-6481) - Clam AntiVirus (ClamAV) 0.88.6 allowed remote attackers to bypass virus detection by inserting invalid characters into base64 encoded content in a multipart/mixed MIME file, as demonstrated with the EICAR test file. (CVE-2006-6406) last seen 2020-06-01 modified 2020-06-02 plugin id 29397 published 2007-12-13 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/29397 title SuSE 10 Security Update : clamav (ZYPP Patch Number 2390)
References
- http://docs.info.apple.com/article.html?artnum=307562
- http://kolab.org/security/kolab-vendor-notice-14.txt
- http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.html
- http://osvdb.org/31283
- http://secunia.com/advisories/23347
- http://secunia.com/advisories/23362
- http://secunia.com/advisories/23379
- http://secunia.com/advisories/23404
- http://secunia.com/advisories/23411
- http://secunia.com/advisories/23417
- http://secunia.com/advisories/23460
- http://secunia.com/advisories/29420
- http://security.gentoo.org/glsa/glsa-200612-18.xml
- http://www.debian.org/security/2006/dsa-1238
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:230
- http://www.novell.com/linux/security/advisories/2006_78_clamav.html
- http://www.quantenblog.net/security/virus-scanner-bypass
- http://www.securityfocus.com/bid/21609
- http://www.trustix.org/errata/2006/0072/
- http://www.vupen.com/english/advisories/2006/4948
- http://www.vupen.com/english/advisories/2006/5113
- http://www.vupen.com/english/advisories/2008/0924/references