CERT-FI and CPNI Joint Vulnerability Advisory on Archive Formats

Vulnerability Research in Archive Formats

Version Information

Advisory Reference CERT-FI: 20469

CPNI: 072928

CERT/CC: VU#813451

Release Date 17 March 2008 12:00 UTC

Last Revision 6 August 2009

Version Number 1.3

CVEs:

Acknowledgement

The Test Suite was provided by the Oulu University Secure Programming Group (OUSPG) at the University of Oulu in Finland.

What is Affected?

The vulnerabilities described in this advisory can potentially affect programs that handle the archive formats ACE, ARJ, BZ2, CAB, GZ, LHA, RAR, TAR, ZIP and ZOO.

The Test Suite contains a set of fuzzed archive files in different formats, some of which may cause and some that are known to cause problems in common tools processing archived content. These include:

  • Content inspection products such as anti-virus and stateful firewalls
  • Encryption products (VPN, PGP)
  • Backup software
  • Office programs
  • Operating systems and libraries

Impact

The impact of this research varies by vendor. Please see the 'Vendor Information' section below for further information. Alternatively, contact your vendor for product specific information.

The impact from vulnerabilities identified as part of this research, can potentially expose Denial-of-Service (DoS) and/or buffer overflow conditions. In some cases, it may even be possible for an attacker to execute code on the affected system.

Severity

The severity of this research varies by vendor. Please see the 'Vendor Information' section below for further information. Alternatively, contact your vendor for product specific information.

Summary

The University of Oulu Security Programming Group (OUSPG) has been working on a piece of research, known as the PROTOS Genome Project (GENOME), since January 2005. The objective of GENOME was an attempt to test the implementations of arbitrary, possibly unknown, protocols by using model assisted fuzzing to generate test materials.

As part of GENOME, OUSPG began looking at archive formats. These formats are typically used to archive files and directories and compress them into smaller, compact packages that can then be stored or transmitted via various media in a convenient and economical manner.

During the initial research on archive formats, OUSPG identified that most implementations evaluated failed to perform in a robust manner. Some failures had security implications and hence should be identified as vulnerabilities.

In order to ensure products that support these formats are robust to any vulnerabilities that may be discovered as part of this research, the Test Suite was made available to multiple vendors so that they could use it to test their implementations.

Details

Archive formats are typically used to perform one of the following functions:

(1) To hold one or more archived files. Most archive formats are also capable of storing folders in order to reconstruct the file/folder relationship when extracted.

(2) To compress one or more files and folders into a single file for backup or transport.

These formats, which includes extensions such as ACE, ARJ, BZ2, CAB, GZ, LHA, RAR, TAR, ZIP and ZOO, are usually platform-independent and are supported by a variety of implementations, including many anti-virus products.

It is for this reason that archive formats were chosen as the subject of further investigation as part of PROTOS GENOME. In this approach, a set of valid files is first collected, then a program is used to analyse the structure of these files, yielding a rough model of the underlying file format. This model is then used to generate similar files, which often have modifications that would be extremely unlikely to appear in a valid file.

Usually programs should simply report that the files are invalid and resume operation in a controlled manner. However behaviour such as program termination, altered behaviour and infinite loops can indicate unintentional, and in many cases, exploitable errors.

The test material can be found at the following URL:

http://www.ee.oulu.fi/research/ouspg/protos/testing/c10/archive/

Mitigation

Please refer to the 'Vendor Information' section of this advisory for platform specific mitigation.

Vendor Information

vendor vulnerable? fixed version or url
7-zip Yes 4.5.7
Aladdin Not Vulnerable
AOL Unknown
Apple Yes http://support.apple.com/kb/HT3757
Astaro Yes http://up2date.astaro.com/2008/08/up2date_asg_v7300_ga_released.html 
Avaya Yes http://support.avaya.com/elmodocs2/security/ASA-2008-404.htm
BeCubed Unknown
bzip2 Yes 1.0.5 http://www.bzip.org/CHANGES
Checkpoint Unknown
Cisco Unknown
Citrix Not Vulnerable
ClamAv Yes 0.93 http://svn.clamav.net/svn/clamav-devel/trunk/ChangeLog
https://www.clamav.net/bugzilla/show_bug.cgi?id=897
https://bugzilla.clamav.net/show_bug.cgi?id=898
ConeXware Unknown
Crossbeam Systems Unknown
Debian Yes http://www.debian.org/security/2008/dsa-1455 
Entrust Unknown
Ericsson Unknown
Eazel Unknown
F-Secure Yes http://www.f-secure.com/security/fsc-2008-2.shtml 
FreeBSD Yes http://www.securityspace.com/smysecure/catid.html?id=60833
http://www.securityspace.com/smysecure/catid.html?id=60632
http://www.freebsd.org/security/advisories/FreeBSD-SA-07:05.libarchive.asc
Gentoo Yes http://security.gentoo.org/glsa/glsa-200708-03.xml
http://www.gentoo.org/security/en/glsa/glsa-200804-02.xml
http://security.gentoo.org/glsa/glsa-200805-19.xml
http://security.gentoo.org/glsa/glsa-200903-40.xml 
Gfi Not Vulnerable
Google Unknown
Grisoft Unknown
HP Unknown
IBM Unknown
Inner Media Unknown
Insta Unknown
IpCop Yes http://www.ipcop.org/index.php?name=News&file=article&sid=40
Isode Unknown
Kaspersky Yes Version data not available. Updated versions are fixed.
Kolab Yes http://kolab.org/security/kolab-vendor-notice-20.txt
lbzip2 Yes 0.03 http://freshmeat.net/projects/lbzip2/releases/283292 
Libarchive Yes http://people.freebsd.org/~kientzle/libarchive/
Mandriva Yes http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2008:075/?name=MDVSA-2008:075
http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2008:088/?name=MDVSA-2008:088

McAfee Yes https://knowledge.mcafee.com/article/456/615178_f.SAL_Public.html
Microsoft Not Vulnerable
Mozilla Unknown
NetBSD Yes ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-004.txt.asc
Nixu Oy Unknown
Nokia Unknown
Nortel Unknown
Oracle Not Vulnerable
Python Unknown
RARLAB Yes http://rhn.redhat.com/errata/RHSA-2008-0893.html
https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00165.html
https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00225.html
https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00576.html
https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00625.html
https://www.redhat.com/archives/fedora-package-announce/2008-May/msg00249.html
Rising Antivirus Unknown
rPath Linux Yes http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0118
S60Zip Not Vulnerable
Secgo Not Vulnerable
Siemens Unknown
Slackware Yes http://www.slackware.org/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.473263
SonicWALL Unknown
Sophos Yes http://www.sophos.com/support/knowledgebase/article/50611.html
Sourcefire Unknown
SUSE Yes http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00009.html
http://lists.opensuse.org/opensuse-security-announce/2008-05/msg00000.html
http://www.novell.com/linux/security/advisories/2007_15_sr.html
Stonesoft Unknown
Sun Microsystems Yes https://sunsolve.sun.com/search/document.do?assetkey=1-66-241786-1
Symantec Not Vulnerable
TeamF1 Unknown
TightVNC Unknown
Ubuntu Yes http://www.ubuntulinux.org/usn/usn-590-1
VeriSign Unknown
VmWare Yes http://kb.vmware.com/kb/1006982
http://kb.vmware.com/kb/1007198
http://kb.vmware.com/kb/1007504
WinGate Unknown
WinZip Unknown
Wind River Unknown

Vendor Statements

Aladdin

No statement at this time


Apple

Our tests did not indicate any problems in Apple software running the test cases provided.


bzip2

One test case has been found to cause problems with bzip2. It has been fixed in version 1.0.5.


Citrix

No statement at this time


F-Secure

Several products from F-Secure Corporation are vulnerability to the issue described in CERT-FI: 20469, CPNI: 072928, CERT/CC: VU#813451. Patches for the vulnerability have been published, and distributed automatically to end-users for all products that support automatic patching. More information about potential impact, affected products and available patches can be found in the advisory FSC-2008-2 located at

http://www.f-secure.com/security/fsc-2008-2.shtml.


Gfi

No statement at this time


Microsoft

No statement at this time


Oracle

No statement at this time


RARLAB

Potential problems were found in WinRAR 3.70 code for almost all formats included in the test suite except ZOO, which is not supported by WinRAR. RARLAB did not investigate exploitability and severity of found problems. All potential problems were fixed regardless of their severity. All these fixes were included in WinRAR 3.71.


S60Zip

S60Zip uses the API provided by the platform to decompress .zip files.


Secgo

No statement at this time


Symantec

We have done extensive testing against your test suite. We have verified that none of our products are vulnerable.


Credits

CERT-FI and the CPNI Vulnerability Team would like to thank OUSPG for making the Test Suite available to vendors.

CERT-FI and the CPNI Vulnerability Team would also like to thank the vendors for their co-operation and to JPCERT/CC for co-ordinating this issue in Japan.


Contact Information

NCSC-FI's (former CERT-FI) Vulnerability Coordination can be contacted as follows:


Email:

vulncoord@ficora.fi

Please quote the advisory reference in the subject line


Telephone:

+358 295 390 230 (lnf/mcf)

Monday - Friday 08:00 - 16:15 (EET: UTC+2)


Post:

Vulnerability Coordination

FICORA/NCSC-FI

P.O. Box 313

FI-00181 Helsinki

FINLAND


We encourage those who wish to communicate via email to make use of our PGP key. The key is available here:

CERT-FI's Contact Information


The CPNI Vulnerability Management Team can be contacted as follows:


Email:

VulTeam@cpni.gsi.gov.uk

Please quote the advisory reference in the subject line


Telephone :

+44 (0)870 487 0748 Ext 4511

Monday - Friday 08:30 - 17:00


Fax:

+44 (0)870 487 0749


Post:

Vulnerability Management Team

CPNI

PO Box 60628

London

SW1P 1HA


We encourage those who wish to communicate via email to make use of our PGP key. The key is available at http://www.cpni.gov.uk/key.aspx.


Please note that UK government protectively marked material should not be sent to the email address above.


If you wish to be added to our email distribution list please email your request to infosec@cpni.gov.uk.


What are CERT-FI and CPNI?

For further information regarding the Finnish National CERT Team, CERT-FI, please visit

Ficora's Information Security Services

For further information regarding the Centre for the Protection of National Infrastructure, please visit http://www.cpni.gov.uk.


Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI. The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes.


Neither shall CPNI accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this notice.


Key words: Information security , Vulnerability coordination , Articles , Vulnerabilities

LinkedIn Print