Vulnerabilities > CVE-2009-3587

CVSS 9.3 - CRITICAL

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

broadcom

critical

nessus

NVD

Published: 2009-10-13

Updated: 2021-11-15

Summary

Unspecified vulnerability in the arclib component in the Anti-Virus engine in CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) 7.1 through r8.1; Anti-Virus 2007 (v8) through 2009; eTrust EZ Antivirus r7.1; Internet Security Suite 2007 (v3) through Plus 2009; and other CA products allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted RAR archive file that triggers heap corruption, a different vulnerability than CVE-2009-3588.

Vulnerable Configurations

Part	Description	Count
Application	Broadcom Broadcom Etrust Antivirus 8 Broadcom Etrust Antivirus 8.1 Broadcom Etrust Antivirus 7.1 Broadcom Internet Security Suite * Broadcom Internet Security Suite 3.0 Broadcom Network AND Systems Management R3.1 Broadcom Network AND Systems Management R11.1 Broadcom Network AND Systems Management R11 Broadcom Network AND Systems Management R3.0 Broadcom Anti Virus 2007 Broadcom Anti Virus 2008 Broadcom Secure Content Manager 1.1 Broadcom Secure Content Manager 8.0 Broadcom Unicenter Network AND Systems Management 3.0 Broadcom Unicenter Network AND Systems Management 3.1 Broadcom Unicenter Network AND Systems Management 11 Broadcom Unicenter Network AND Systems Management 11.1 Broadcom Anti Virus FOR THE Enterprise 7.1 Broadcom Anti Virus FOR THE Enterprise R8 Broadcom Etrust Intrusion Detection 3.0 Broadcom Etrust Secure Content Manager 1.1 Broadcom Common Services 11 Broadcom Common Services 11.1 Broadcom Etrust Integrated Threat Management 8.1 Broadcom Anti Virus SDK *	25
Application	Ca CA Internet Security Suite 2008 * CA Protection Suites R2 CA Protection Suites R3 CA Protection Suites R3.1 CA Etrust Intrusion Detection 2.0 CA Etrust Intrusion Detection 3.0 CA Internet Security Suite Plus 2008 * CA Internet Security Suite Plus 2009 * CA Common Services 3.1 CA Arcserve Backup R11.5 CA Arcserve Backup R11.1 CA Anti Virus 2009 CA Anti Virus Plus 2009 CA Anti Virus Gateway 7.1 CA Etrust Anti Virus Gateway 7.1 CA Etrust EZ Antivirus R7.1 CA Threat Manager 8.1 CA Threat Manager R8 CA Anti Virus FOR THE Enterprise R8.1 CA Gateway Security R8.1 CA Threat Manager Total Defense * CA Etrust Secure Content Manager 8.0 CA Arcserve FOR Windows Client Agent * CA Arcserve FOR Windows Server Component * CA Etrust Anti Virus SDK *	25
OS	Linux Linux Linux *	1

Nessus

NASL family	Windows
NASL id	CA_AV_ARCLIB_8140.NASL
description	The antivirus engine from Computer Associates installed on the remote host is affected by multiple vulnerabilities : - Due to improper handling of certain specially crafted RAR files it may be possible for a remote attacker to trigger a heap overflow or denial of service condition. (CVE-2009-3587) - Due to improper handling of certain specially crafted RAR files it may be possible for a remote attacker to trigger a stack overflow or denial of service condition. (CVE-2009-3588)
last seen	2020-06-01
modified	2020-06-02
plugin id	42105
published	2009-10-13
reporter	This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/42105
title	Computer Associates Anti-Virus Engine arclib.dll < 8.1.4.0 Multiple Flaws
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(42105); script_version("1.15"); script_cvs_date("Date: 2018/11/15 20:50:26"); script_cve_id("CVE-2009-3587", "CVE-2009-3588"); script_bugtraq_id(36653); script_xref(name:"Secunia", value:"36976"); script_name(english:"Computer Associates Anti-Virus Engine arclib.dll < 8.1.4.0 Multiple Flaws"); script_summary(english:"Checks version of arclib.dll"); script_set_attribute(attribute:"synopsis", value: "The remote Windows host contains an application that is affected by multiple flaws."); script_set_attribute(attribute:"description", value: "The antivirus engine from Computer Associates installed on the remote host is affected by multiple vulnerabilities : - Due to improper handling of certain specially crafted RAR files it may be possible for a remote attacker to trigger a heap overflow or denial of service condition. (CVE-2009-3587) - Due to improper handling of certain specially crafted RAR files it may be possible for a remote attacker to trigger a stack overflow or denial of service condition. (CVE-2009-3588)"); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?cccd446a"); script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/507101/30/0/threaded" ); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?aeda8c7c" ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2009/Oct/79" ); script_set_attribute(attribute:"solution", value: "Either manually apply the patch listed in the vendor advisory or ensure that the product's automatic updates feature is enabled and working properly."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2009/10/13"); script_set_attribute(attribute:"patch_publication_date", value:"2009/08/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/10/13"); script_set_attribute(attribute:"plugin_type", value:"local"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_dependencies("smb_enum_services.nasl", "smb_hotfixes.nasl"); script_require_keys("SMB/Registry/Enumerated"); script_require_ports(139, 445); exit(0); } include("smb_func.inc"); include("smb_hotfixes.inc"); include("audit.inc"); include("misc_func.inc"); if (!get_kb_item("SMB/Registry/Enumerated")) exit(1,"The 'SMB/Registry/Enumerated' KB item is missing."); # Connect to the appropriate share. name = kb_smb_name(); port = kb_smb_transport(); login = kb_smb_login(); pass = kb_smb_password(); domain = kb_smb_domain(); if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init'); rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$"); if (rc != 1) { NetUseDel(); exit(1,"Can't connect to IPC$ share."); } # Connect to remote registry. hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE); if (isnull(hklm)) { NetUseDel(); exit(1,"Can't connect to remote registry."); } # Find where it's installed. reg_path = NULL; key = "SOFTWARE\ComputerAssociates\ScanEngine\Path"; key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED); if (!isnull(key_h)) { value = RegQueryValue(handle:key_h, item:"Engine"); if (!isnull(value)) reg_path = value[1]; RegCloseKey(handle:key_h); } RegCloseKey(handle:hklm); pfd = hotfix_get_programfilesdir(); if(reg_path && pfd) { paths = list_uniq(make_list(reg_path, string(pfd,'\\CA\\SharedComponents\\ScanEngine'), string(pfd,'\\eTrust\\Intrusion Detection\\Common'), string(pfd,'\\CA\\Intrusion Detection\\Common'))); } else if(reg_path && isnull(pfd)) paths = make_list(reg_path); else if(!isnull(pfd) && isnull(reg_path)) { paths = make_list(string(pfd,'\\CA\\SharedComponents\\ScanEngine'), string(pfd,'\\eTrust\\Intrusion Detection\\Common'), string(pfd,'\\CA\\Intrusion Detection\\Common')); } if(max_index(paths) == 0) { NetUseDel(); exit(0, "Can't determine path for Computer Associates Anti-Virus engine."); } ver = NULL; found = 0; foreach path (paths) { # Grab the file version of file Arclib.dll. share = ereg_replace(pattern:"^([A-Za-z]):.", replace:"\1$", string:path); dll = ereg_replace(pattern:"^[A-Za-z]:(.)", replace:"\1\Arclib.dll", string:path); NetUseDel(close:FALSE); rc = NetUseAdd(login:login, password:pass, domain:domain, share:share); if (rc != 1) { NetUseDel(); exit(1, "Can't connect to '"+share+"' share."); } fh = CreateFile( file:dll, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL, share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING ); if (!isnull(fh)) { found = 1; ver = GetFileVersion(handle:fh); CloseFile(handle:fh); break; } } NetUseDel(); if(!found) exit(0, "File Arclib.dll was not found on the remote system."); # Check the version number. if (!isnull(ver)) { fixed_version = "8.1.4.0"; fix = split(fixed_version, sep:'.', keep:FALSE); for (i=0; i<max_index(fix); i++) fix[i] = int(fix[i]); for (i=0; i<max_index(ver); i++) if ((ver[i] < fix[i])) { if (report_verbosity > 0) { version = string(ver[0],".",ver[1],".",ver[2],".",ver[3]); report = string( "\n", "File : ", path, "\\Arclib.dll\n", "Installed version : ", version, "\n", "Fixed version : ", fixed_version, "\n" ); security_hole(port:port, extra:report); } else security_hole(port); exit(0); } else if (ver[i] > fix[i]) break; exit(0, "Arclib.dll version "+version+" is installed and not vulnerable."); } else exit(1, "Can't get file version of 'Arclib.dll'.");

Seebug

bulletinFamily	exploit
description	BUGTRAQ ID: 36653 CVE ID: CVE-2009-3587,CVE-2009-3588 Computer Associates是世界领先的安全厂商，产品包括多种杀毒软件及备份恢复系统。多个CA产品杀毒引擎所使用的arclib组件在解析畸形RAR压缩文件时存在堆或栈内存破坏，用户受骗打开恶意文件就会导致拒绝服务或执行任意指令。 Computer Associates eTrust Intrusion Detection 3.0 SP1 Computer Associates eTrust Intrusion Detection 3.0 Computer Associates eTrust Intrusion Detection 2.0 SP1 Computer Associates Common Services r3.1 Computer Associates Common Services r11.1 Computer Associates Common Services r11 Computer Associates Anti-Virus Plus 2009 Computer Associates Anti-Virus for the Enterprise r8.1 Computer Associates Anti-Virus for the Enterprise r8 Computer Associates Anti-Virus for the Enterprise 7.1 Computer Associates Anti-Virus 2009 Computer Associates Anti-Virus 2008 Computer Associates Anti-Virus 2007 (v8) Computer Associates Internet Security Suite Plus 2009 Computer Associates Internet Security Suite Plus 2008 Computer Associates Internet Security Suite 2008 Computer Associates Internet Security Suite 2007 v3.0 Computer Associates Protection Suites 3.1 Computer Associates Protection Suites 3 Computer Associates Protection Suites 2 Computer Associates Threat Manager for the Enterprise r8.1 Computer Associates Threat Manager for the Enterprise r8 Computer Associates Secure Content Manager 8.0 Computer Associates Secure Content Manager 1.1 Computer Associates ARCserve Backup r12.0 SP2 Computer Associates ARCserve Backup r12.0 SP1 Computer Associates ARCserve Backup r12.0 Computer Associates ARCserve Backup r11.5 Computer Associates ARCserve Backup r11.1 Computer Associates Gateway Security r8.1 Computer Associates NSM 3.1 Computer Associates NSM 3.0 Computer Associates NSM 11.1 Computer Associates NSM 11 Computer Associates Anti-Virus Gateway 7.1 厂商补丁： Computer Associates ------------------- 目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： http://www.cai.com/
id	SSV:12457
last seen	2017-11-19
modified	2009-10-12
published	2009-10-12
reporter	Root
title	CA杀毒引擎arclib库多个内存破坏漏洞

Vulnerabilities > CVE-2009-3587 {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Vulnerabilities","item":"https://cyber.vumetric.com/vulns/"},{"@type":"ListItem","position":2,"name":"CVE-2009-3587"}]}

Summary

Vulnerable Configurations

Nessus

Seebug

References

Vulnerabilities > CVE-2009-3587