Serious vulnerabilities have popped up in several popular security software tools in the past few days, namely Sophos Anti-Virus, ClamAV and the network protocol scanner Ethereal. The flaws could allow complete system takeover, according to researchers.
Fixes are available for Ethereal and ClamAV, but Sophos said it hasn't yet patched all affected versions of its software.
All three are widely used in enterprises, with ClamAV and Ethereal distributed under open-source licences. ClamAV is an anti-virus toolkit under the GNU General Public Licence (GPL) and is integrated into many mail servers, where it's used to scan attachments. Sophos makes anti-virus software for enterprises and smaller businesses.
The Sophos flaw - a buffer overflow vulnerability - has been fixed in some current versions of Sophos products, but hasn't yet been patched in others, the company said. Companies running Sophos Anti-Virus version 3.96.0 on Windows, Unix, NetWare, OS/2 or OpenVMS are not affected. Also unaffected is Sophos Anti-Virus 4.5.4.
Sophos said it will fix Sophos Anti-Virus Small Business Edition on all Windows platforms by Friday 29 July, and all other versions of Sophos Anti-Virus will be fixed within the next 14 days.
The company didn't give specifics, but the flaw is due to a heap overflow bug when analysing malformed files. An attacker could exploit the bug via a specially crafted e-mail attachment to execute malicious code and take over a system, Sophos said.
ClamAV suffers from problems with at least four of the components used for processing different file formats, according to researchers.
"During the processing of TNEF, CHM, and FSG formats an attacker is able to trigger several integer overflows that allow attackers to overwrite heap data to obtain complete control of the system," said Rem0te.com in an advisory [pdf].
ClamAV installations are vulnerable by default and could be triggered via an email, according to researchers. The bug affects version 0.86.1, and has been patched in version 0.86.2. Linux vendors and other software makers whose products contain ClamAV have been issuing patches directly.
ClamAV is found on a wide variety of platforms. It is included in Mac OS X Server by default and has numerous Windows implementations; all of these derivatives are likely to be vulnerable, Rem0te.com said.
Ethereal versions 0.8.5 through 0.10.11 include several vulnerabilities, one of which involves the zlib compression library; this is found in a wide variety of applications, and has been recently patched in Web browsers, the KDE graphical user interface and eMule, a file-sharing application, for instance. The bugs are all fixed in Ethereal 0.10.12, found here.
The other flaws are related to a number of Ethereal's protocol dissectors, specifically the LDAP, AgentX, 802.3, PER, DHCP, BER, MEGACO, GIOP, SMB, WBXML, H1, DOCSIS, SMPP, HTTP, DCERPC, CAMEL, RADIUS, Telnet, IS-IS LSP and NCP dissectors; they include buffer overflow, format string and null pointer bugs. Any of the bugs could be exploited by remote attackers to crash Ethereal or execute malicious commands, researchers said.
The ClamAV bugs were discovered by researchers Neel Mehta and Alex Wheeler, who were to speak at the Black Hat security conference this week on the rising tide of vulnerability disclosures in security products. Attackers are switching their focus to security software as core operating systems become more secure, according to Mehta, the team lead for Internet Security Systems' (ISS) X-Force research group.