Vulnerabilities > CVE-2016-1371 - Improper Access Control vulnerability in multiple products
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
ClamAV (aka Clam AntiVirus) before 0.99.2 allows remote attackers to cause a denial of service (application crash) via a crafted mew packer executable.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Embedding Scripts within Scripts An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
- Signature Spoofing by Key Theft An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3093-1.NASL description It was discovered that ClamAV incorrectly handled certain malformed files. A remote attacker could use this issue to cause ClamAV to crash, resulting in a denial of service, or possibly execute arbitrary code. In the default installation, attackers would be isolated by the ClamAV AppArmor profile. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 93801 published 2016-09-29 reporter Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93801 title Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : clamav vulnerabilities (USN-3093-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-3093-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(93801); script_version("2.8"); script_cvs_date("Date: 2019/09/18 12:31:46"); script_cve_id("CVE-2016-1371", "CVE-2016-1372", "CVE-2016-1405"); script_xref(name:"USN", value:"3093-1"); script_name(english:"Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : clamav vulnerabilities (USN-3093-1)"); script_summary(english:"Checks dpkg output for updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Ubuntu host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "It was discovered that ClamAV incorrectly handled certain malformed files. A remote attacker could use this issue to cause ClamAV to crash, resulting in a denial of service, or possibly execute arbitrary code. In the default installation, attackers would be isolated by the ClamAV AppArmor profile. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/3093-1/" ); script_set_attribute( attribute:"solution", value:"Update the affected clamav package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:clamav"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/06/08"); script_set_attribute(attribute:"patch_publication_date", value:"2016/09/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/09/29"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(12\.04|14\.04|16\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 12.04 / 14.04 / 16.04", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"12.04", pkgname:"clamav", pkgver:"0.99.2+addedllvm-0ubuntu0.12.04.1")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"clamav", pkgver:"0.99.2+addedllvm-0ubuntu0.14.04.1")) flag++; if (ubuntu_check(osver:"16.04", pkgname:"clamav", pkgver:"0.99.2+dfsg-0ubuntu0.16.04.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "clamav"); }
NASL family Misc. NASL id CLAMAV_0_99_2.NASL description According to its version, the ClamAV clamd antivirus daemon running on the remote host is prior to 0.99.2. It is, therefore, affected by multiple vulnerabilities : - A denial of service vulnerability exists in the libclamav library when handling specially crafted mew packer executables. An unauthenticated, remote attacker can exploit this, by convincing a user to open a specially crafted file, to crash the application. (CVE-2016-1371) - Multiple denial of service vulnerabilities exist in the libclamav library when handling specially crafted 7z files. An unauthenticated, remote attacker can exploit these, by convincing a user to open a specially crafted file, to crash the application. (CVE-2016-1372) last seen 2020-06-01 modified 2020-06-02 plugin id 93897 published 2016-10-06 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/93897 title ClamAV < 0.99.2 Multiple libclamav DoS code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(93897); script_version("1.6"); script_cvs_date("Date: 2018/11/15 20:50:23"); script_cve_id("CVE-2016-1371", "CVE-2016-1372"); script_bugtraq_id(93221, 93222); script_name(english:"ClamAV < 0.99.2 Multiple libclamav DoS"); script_summary(english:"Checks the response to a clamd VERSION command."); script_set_attribute(attribute:"synopsis", value: "The antivirus service running on the remote host is affected by multiple denial of service vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its version, the ClamAV clamd antivirus daemon running on the remote host is prior to 0.99.2. It is, therefore, affected by multiple vulnerabilities : - A denial of service vulnerability exists in the libclamav library when handling specially crafted mew packer executables. An unauthenticated, remote attacker can exploit this, by convincing a user to open a specially crafted file, to crash the application. (CVE-2016-1371) - Multiple denial of service vulnerabilities exist in the libclamav library when handling specially crafted 7z files. An unauthenticated, remote attacker can exploit these, by convincing a user to open a specially crafted file, to crash the application. (CVE-2016-1372)"); script_set_attribute(attribute:"see_also", value:"https://blog.clamav.net/2016/05/clamav-0992-has-been-released.html"); script_set_attribute(attribute:"see_also", value:"https://foxglovesecurity.com/2016/06/13/finding-pearls-fuzzing-clamav/"); script_set_attribute(attribute:"solution", value: "Upgrade to ClamAV version 0.99.2 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/06/13"); script_set_attribute(attribute:"patch_publication_date", value:"2016/05/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/10/06"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:clamav:clamav"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc."); script_dependencies("clamav_detect.nasl"); script_require_keys("Antivirus/ClamAV/version", "Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); version = get_kb_item_or_exit("Antivirus/ClamAV/version"); port = get_service(svc:"clamd", default:3310, exit_on_fail:TRUE); if (report_paranoia < 2) audit(AUDIT_PARANOID); if ( version =~ "^0\.(\d|[0-8]\d|9[0-8])($|[^0-9])" || version =~ "^0.99($|-beta[12]|-rc[12])" || version =~ "^0\.99\.[01]($|[^0-9])" ) { security_report_v4( port:port, severity:SECURITY_WARNING, extra: '\n Installed version : ' + version + '\n Fixed version : 0.99.2' + '\n' ); } else audit(AUDIT_LISTEN_NOT_VULN, "ClamAV", port, version);
References
- http://blog.clamav.net/2016/05/clamav-0992-has-been-released.html
- http://blog.clamav.net/2016/05/clamav-0992-has-been-released.html
- http://www.securityfocus.com/bid/93222
- http://www.securityfocus.com/bid/93222
- http://www.ubuntu.com/usn/USN-3093-1
- http://www.ubuntu.com/usn/USN-3093-1
- https://bugzilla.clamav.net/show_bug.cgi?id=11514
- https://bugzilla.clamav.net/show_bug.cgi?id=11514
- https://foxglovesecurity.com/2016/06/13/finding-pearls-fuzzing-clamav/
- https://foxglovesecurity.com/2016/06/13/finding-pearls-fuzzing-clamav/