CERTVU:849841Autonomy Keyview IDOL contains multiple vulnerabilities in file parsers
9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.004 Low
EPSS
Percentile
72.7%
Overview
Autonomy Keyview IDOL contains multiple vulnerabilities in file parsers. These vulnerabilities could allow a remote attacker to execute arbitrary code on an affected system.
Description
Autonomy Keyview IDOL is a set of libraries that can decode over 1,000 different file formats. The Autonomy Keyview IDOL libraries are used by a variety of applications, including IBM Lotus Notes, Lotus Domino, Symantec Mail Security, RSA DLP, VMware Zimbra, Hyland OnBase, and many others. These vulnerabilities result from a number of underlying issues. Some of these cases demonstrated memory corruption with attacker-controlled input and could be exploited to run arbitrary code.
Impact
By causing an application to process a specially-crafted file with the Autonomy Keyview IDOL library, a remote, unauthenticated attacker may be able to cause an affected application to crash, resulting in a denial of service, or executing arbitrary code with the privileges of the vulnerable application. Depending on what application is using Keyview IDOL, these may happen as the result of some user interaction, such as single-clicking on a file, or it may happen with no user interaction at all. Privileges that the code would execute with depend on the application in question. For example, an attacker that exploits Symantec Mail Security or IBM Lotus Domino would be able to achieve code execution with SYSTEM privileges.
Solution
Apply an update
This issue is addressed in Autonomy Keyview IDOL 10.16. Please see your vendor for relevant product updates that include this version of Keyview.
Use the Microsoft Enhanced Mitigation Experience Toolkit
The Microsoft Enhanced Mitigation Experience Toolkit (EMET) can be used to help prevent exploitation of this vulnerability. CERT/CC has created a video tutorial for setting up EMET 3.0 on Windows 7. Note that platforms that do not support ASLR, such as Windows XP and Windows Server 2003, will not receive the same level of protection that modern Windows platforms will.
Enable DEP in Microsoft Windows
Consider enabling Data Execution Prevention (DEP) in supported versions of Windows. DEP should not be treated as a complete workaround, but it can mitigate the execution of attacker-supplied code in some cases. Microsoft has published detailed technical information about DEP in Security Research & Defense blog posts “Understanding DEP as a mitigation technology” part 1 and part 2. DEP should be used in conjunction with the application of patches or other mitigations described in this document.
Note that when relying on DEP for exploit mitigation, it is important to use a system that supports Address Space Layout Randomization (ASLR) as well. ASLR is not supported by Windows XP or Windows Server 2003 or earlier. ASLR was introduced with Microsoft Windows Vista and Windows Server 2008. Please see the Microsoft SRD blog entry: On the effectiveness of DEP and ASLR for more details.
Vendor Information
849841
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Autonomy __ Affected
Updated: June 04, 2012
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
Autonomy has been acquired by HP.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849841 Feedback>).
CA Technologies __ Affected
Notified: March 29, 2012 Updated: November 05, 2012
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Addendum
CA DLP uses Keyview for text extraction.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849841 Feedback>).
Cisco Systems, Inc. __ Affected
Notified: March 29, 2012 Updated: November 05, 2012
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
Cisco IronPort uses RSA DLP components, which contain Autonomy Keyview.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849841 Feedback>).
EMC Corporation __ Affected
Notified: March 29, 2012 Updated: November 05, 2012
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
EMC RSA DLP uses Keyview.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849841 Feedback>).
Hewlett-Packard Company __ Affected
Notified: March 05, 2012 Updated: November 05, 2012
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Addendum
HP has acquired Autonomy.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849841 Feedback>).
Hyland Software Affected
Notified: March 29, 2012 Updated: June 04, 2012
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
IBM Corporation __ Affected
Notified: November 21, 2012 Updated: March 24, 2013
Statement Date: March 24, 2013
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
- <http://www-01.ibm.com/support/docview.wss?uid=swg27013118>
- <http://www-01.ibm.com/support/docview.wss?uid=swg21627597#CVE-2012-6277>
Addendum
Lotus Notes and Domino use Keyview.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849841 Feedback>).
Lotus Software __ Affected
Notified: March 29, 2012 Updated: March 24, 2013
Statement Date: March 24, 2013
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
- <http://www-01.ibm.com/support/docview.wss?uid=swg27013118>
- <http://www-01.ibm.com/support/docview.wss?uid=swg27013118>
Addendum
Lotus Notes and Domino use Keyview.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849841 Feedback>).
McAfee __ Affected
Notified: March 29, 2012 Updated: November 05, 2012
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Addendum
McAfee DLP 9.1 and later use Keyview.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849841 Feedback>).
Nuance Communications, Inc. __ Affected
Updated: November 28, 2012
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
Nuance PaperPort 14 uses the Keyview libraries. OmniPage 16 Professional appears to provide Keyview as well, however the latest version 18 does not. Other versions may also be affected.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849841 Feedback>).
Oracle Corporation Affected
Updated: November 28, 2012
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Palisade Systems __ Affected
Notified: May 22, 2012 Updated: May 22, 2012
Statement Date: May 22, 2012
Status
Affected
Vendor Statement
It has been two and one-half years since our product lines have ceased using
KeyView for document parsing capabilities. The versions of the Palisade
products that used KeyView are no longer under support and we strongly
urge our customers to upgrade to current versions of our software.
HP Autonomy KeyView was used in Palisade Systems PacketSure products
versions 5.0 through 7.5 that had the Content Analysis (Data Loss
Prevention) feature enabled, and in the corresponding Windows
Discovery Agent.
Palisade Systems urges customers to contact our support team at
[email protected] or 866-325-6500 if they have any questions.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Proofpoint Affected
Notified: May 22, 2012 Updated: November 05, 2012
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Symantec __ Affected
Notified: March 29, 2012 Updated: January 28, 2014
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Addendum
Symantec Mail Security for Microsoft Exchange and Domino, Symantec Messaging Gateway, and Symantec DLP use Keyview. Note that although various Symantec products listed in the above link provide KeyView 10.15, this is a special version of KeyView 10.15 with backported fixes.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849841 Feedback>).
Trend Micro Affected
Notified: May 22, 2012 Updated: November 05, 2012
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Trustwave __ Affected
Notified: May 29, 2012 Updated: June 04, 2012
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
Vericept uses Keyview. Trustwave has ignored our attempts to contact them.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849841 Feedback>).
VMware __ Affected
Notified: November 17, 2012 Updated: November 19, 2012
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
VMware Zimbra uses Keyview.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849841 Feedback>).
Verdasys Affected
Notified: May 23, 2012 Updated: June 04, 2012
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
WebSense __ Affected
Notified: March 29, 2012 Updated: November 05, 2012
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
Websense TRITON Data Security uses keyview.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23849841 Feedback>).
View all 19 vendors __View less vendors __
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C |
| Temporal | 8.7 | E:ND/RL:OF/RC:C |
| Environmental | 8.7 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND |
References
- <http://www.autonomy.com/content/Products/idol-modules-connectors/index.en.html>
- <http://www.autonomy.com/content/Technology/idol-functionality-information-connectivity/index.en.html>
- <https://customers.autonomy.com>
- <http://support.microsoft.com/kb/2458544>
- <http://www.youtube.com/watch?v=28_LUs_g0u4>
- <http://blogs.technet.com/srd/archive/2009/06/05/understanding-dep-as-a-mitigation-technology-part-1.aspx>
- <http://blogs.technet.com/srd/archive/2009/06/12/understanding-dep-as-a-mitigation-technology-part-2.aspx>
- <http://blogs.technet.com/b/srd/archive/2010/12/08/on-the-effectiveness-of-dep-and-aslr.aspx>
- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20121120_00
- <http://www.securityfocus.com/bid/56610>
- <http://securitytracker.com/id/1027799>
- <http://www.osvdb.org/show/osvdb/87619>
- <http://secunia.com/advisories/51362>
Acknowledgements
This vulnerability was reported by Will Dormann of the CERT/CC.
This document was written by Will Dormann.
Other Information
| CVE IDs: | CVE-2012-6277 |
|---|---|
| Date Public: | 2012-11-20 Date First Published: |
References
blogs.technet.com/b/srd/archive/2010/12/08/on-the-effectiveness-of-dep-and-aslr.aspx
blogs.technet.com/srd/archive/2009/06/05/understanding-dep-as-a-mitigation-technology-part-1.aspx
blogs.technet.com/srd/archive/2009/06/12/understanding-dep-as-a-mitigation-technology-part-2.aspx
secunia.com/advisories/51362
securitytracker.com/id/1027799
support.microsoft.com/kb/2458544
www.autonomy.com/content/Products/idol-modules-connectors/index.en.html
www.autonomy.com/content/Technology/idol-functionality-information-connectivity/index.en.html
www.osvdb.org/show/osvdb/87619
www.securityfocus.com/bid/56610
www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20121120_00
www.youtube.com/watch?v=28_LUs_g0u4
customers.autonomy.com
Related
9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.004 Low
EPSS
Percentile
72.7%