search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Multiple vendor implementations of file scanning utilities vulnerable to DoS via compressed file archive

Vulnerability Note VU#212707

Original Release Date: 2002-08-05 | Last Revised: 2002-10-02

Overview

Several file scanning utilities, including some virus scanners, may fail and crash when scanning compressed file archives.

Description

Many file scanners will decompress compressed file archives in memory so their contents can be scanned. However, some of these scanners do not check if there is enough memory available to decompress the file.

The Zip compression algorithm allows a maximum compression ratio of 1000:1, and with nested Zip archives, it is possible to create a small archive that would decompress to a size several thousands of times greater, and much greater than the memory available on most systems.

When a file scanner tries to decompress such an archive without ensuring that there is enough memory available, it may fail and crash. As file scanners are sometimes used to scan message attachments on mail servers, this problem could have additional negative effects on the services provided by mail servers.

Impact

Attackers can design a file which will crash a file scanner and possibly cause additional problems for mail servers that employ file scanners.

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

None.

Vendor Information

212707
 
Expand all

Aladdin Knowledge Systems Unknown

Notified:  April 22, 2002 Updated: August 05, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Command Software Unknown

Notified:  April 22, 2002 Updated: September 18, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Computer Associates Unknown

Notified:  April 22, 2002 Updated: August 05, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CyberSoft Unknown

Notified:  April 22, 2002 Updated: August 05, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Data Fellows Unknown

Notified:  April 22, 2002 Updated: August 05, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Finjan Software Unknown

Notified:  April 22, 2002 Updated: August 05, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Jkuo Unknown

Notified:  April 22, 2002 Updated: August 05, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

McAfee Unknown

Updated:  April 22, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OnTrack Unknown

Notified:  April 22, 2002 Updated: August 05, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

PSPL Unknown

Notified:  April 22, 2002 Updated: August 05, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sophos Unknown

Notified:  April 22, 2002 Updated: August 05, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Symantec Unknown

Notified:  April 22, 2002 Updated: August 05, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Trend Micro Unknown

Updated:  April 22, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

View all 13 vendors View less vendors


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

http://www.securityfocus.com/bid/3027

Acknowledgements

Thanks to Michel Arboi for reporting this vulnerability.

This document was written by Shawn Van Ittersum.

Other Information

CVE IDs: None
Severity Metric: 4.39
Date Public: 2002-07-16
Date First Published: 2002-08-05
Date Last Updated: 2002-10-02 15:47 UTC
Document Revision: 9

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis