Vulnerabilities > CVE-2016-1371 - Improper Access Control vulnerability in multiple products

047910
CVSS 5.5 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
local
low complexity
canonical
clamav
CWE-284
nessus

Summary

ClamAV (aka Clam AntiVirus) before 0.99.2 allows remote attackers to cause a denial of service (application crash) via a crafted mew packer executable.

Vulnerable Configurations

Part Description Count
OS
Canonical
3
Application
Clamav
158

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Embedding Scripts within Scripts
    An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
  • Signature Spoofing by Key Theft
    An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Nessus

  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3093-1.NASL
    descriptionIt was discovered that ClamAV incorrectly handled certain malformed files. A remote attacker could use this issue to cause ClamAV to crash, resulting in a denial of service, or possibly execute arbitrary code. In the default installation, attackers would be isolated by the ClamAV AppArmor profile. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id93801
    published2016-09-29
    reporterUbuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93801
    titleUbuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : clamav vulnerabilities (USN-3093-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3093-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(93801);
      script_version("2.8");
      script_cvs_date("Date: 2019/09/18 12:31:46");
    
      script_cve_id("CVE-2016-1371", "CVE-2016-1372", "CVE-2016-1405");
      script_xref(name:"USN", value:"3093-1");
    
      script_name(english:"Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : clamav vulnerabilities (USN-3093-1)");
      script_summary(english:"Checks dpkg output for updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Ubuntu host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that ClamAV incorrectly handled certain malformed
    files. A remote attacker could use this issue to cause ClamAV to
    crash, resulting in a denial of service, or possibly execute arbitrary
    code.
    
    In the default installation, attackers would be isolated by the ClamAV
    AppArmor profile.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3093-1/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected clamav package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:clamav");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.04:-:lts");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/06/08");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/09/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/09/29");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(12\.04|14\.04|16\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 12.04 / 14.04 / 16.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"12.04", pkgname:"clamav", pkgver:"0.99.2+addedllvm-0ubuntu0.12.04.1")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"clamav", pkgver:"0.99.2+addedllvm-0ubuntu0.14.04.1")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"clamav", pkgver:"0.99.2+dfsg-0ubuntu0.16.04.1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "clamav");
    }
    
  • NASL familyMisc.
    NASL idCLAMAV_0_99_2.NASL
    descriptionAccording to its version, the ClamAV clamd antivirus daemon running on the remote host is prior to 0.99.2. It is, therefore, affected by multiple vulnerabilities : - A denial of service vulnerability exists in the libclamav library when handling specially crafted mew packer executables. An unauthenticated, remote attacker can exploit this, by convincing a user to open a specially crafted file, to crash the application. (CVE-2016-1371) - Multiple denial of service vulnerabilities exist in the libclamav library when handling specially crafted 7z files. An unauthenticated, remote attacker can exploit these, by convincing a user to open a specially crafted file, to crash the application. (CVE-2016-1372)
    last seen2020-06-01
    modified2020-06-02
    plugin id93897
    published2016-10-06
    reporterThis script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/93897
    titleClamAV < 0.99.2 Multiple libclamav DoS
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(93897);
      script_version("1.6");
      script_cvs_date("Date: 2018/11/15 20:50:23");
    
      script_cve_id("CVE-2016-1371", "CVE-2016-1372");
      script_bugtraq_id(93221, 93222);
    
      script_name(english:"ClamAV < 0.99.2 Multiple libclamav DoS");
      script_summary(english:"Checks the response to a clamd VERSION command.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The antivirus service running on the remote host is affected by
    multiple denial of service vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its version, the ClamAV clamd antivirus daemon running on
    the remote host is prior to 0.99.2. It is, therefore, affected by
    multiple vulnerabilities :
    
      - A denial of service vulnerability exists in the
        libclamav library when handling specially crafted mew
        packer executables. An unauthenticated, remote attacker
        can exploit this, by convincing a user to open a
        specially crafted file, to crash the application.
        (CVE-2016-1371)
    
      - Multiple denial of service vulnerabilities exist in the
        libclamav library when handling specially crafted 7z
        files. An unauthenticated, remote attacker can exploit
        these, by convincing a user to open a specially crafted
        file, to crash the application. (CVE-2016-1372)");
      script_set_attribute(attribute:"see_also", value:"https://blog.clamav.net/2016/05/clamav-0992-has-been-released.html");
      script_set_attribute(attribute:"see_also", value:"https://foxglovesecurity.com/2016/06/13/finding-pearls-fuzzing-clamav/");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to ClamAV version 0.99.2 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/06/13");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/05/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/10/06");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:clamav:clamav");
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.");
    
      script_dependencies("clamav_detect.nasl");
      script_require_keys("Antivirus/ClamAV/version", "Settings/ParanoidReport");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    version = get_kb_item_or_exit("Antivirus/ClamAV/version");
    port    = get_service(svc:"clamd", default:3310, exit_on_fail:TRUE);
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    if (
      version =~ "^0\.(\d|[0-8]\d|9[0-8])($|[^0-9])"
      ||
      version =~ "^0.99($|-beta[12]|-rc[12])"
      ||
      version =~ "^0\.99\.[01]($|[^0-9])"
    )
    {
      security_report_v4(
        port:port,
        severity:SECURITY_WARNING,
        extra:
          '\n  Installed version : ' + version +
          '\n  Fixed version     : 0.99.2' +
          '\n'
      );
    }
    else audit(AUDIT_LISTEN_NOT_VULN, "ClamAV", port, version);