K8420 : ClamAV buffer overflow vulnerabilities - CVE-2007-6335, CVE-2007-6336

2013-03-1800:00:00

my.f5.com

7.7 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.246 Low

EPSS

Percentile

96.2%

JSON

Security Advisory Description

Note: Versions that are not listed in this Solution have not been evaluated for vulnerability to this security advisory. For information about the F5 security policy regarding evaluating older and unsupported versions of F5 products, refer to K4602: Overview of the F5 security vulnerability response policy.

F5 products and versions that have been evaluated for this Security Advisory

Product	Affected	Not Affected
BIG-IP LTM	None	9.x
10.x
11.x
BIG-IP GTM	None	9.x
10.x
11.x
BIG-IP ASM	None	9.x
10.x
11.x
BIG-IP Link Controller	None	9.x
10.x
11.x
BIG-IP WebAccelerator	None	9.x
10.x
11.x
BIG-IP PSM	None	9.x
10.x
11.x
BIG-IP WAN Optimization	None	10.x
11.x
BIG-IP APM	None	10.x
11.x
BIG-IP Edge Gateway	None	10.x
11.x
BIG-IP Analytics	None	11.x
BIG-IP AFM	None	11.x
BIG-IP APEM	None	11.x
FirePass	5.0.0 - 5.5.2
6.0.0 - 6.0.2	3.1.0 - 4.1.1
6.0.3
6.1.x
7.x
Enterprise Manager	None	1.x
2.x
3.x
ARX	None	2.x
3.x
4.x
5.x
6.x

The FirePass controller can be configured to provide antivirus scanning of files uploaded through Portal Access. The software used to scan uploaded files is ClamAV open source software, which is enabled by selecting the Enable Standalone Virus Scanner button on theAntivirus tab of the Portal Access: Content Inspection page in the FirePass Administrative Console.

Multiple vulnerabilities in ClamAV versions prior to version 0.92 could allow an attacker to crash the ClamAV scanner process (daemon) or execute arbitrary code on the FirePass controller. In order to exploit this vulnerability, ClamAV scanning must be enabled in the FirePass controller and the attacker must be an authenticated FirePass user who uploads a specially crafted MEW packed Portable Executable (PE) file or a specially crafted MS-ZIP packed CAB file. Running arbitrary code on the FirePass controller could lead to further exploits, including unauthorized modification of files on the FirePass controller, remote administrative access to the FirePass controller, unauthorized disclosure of information, denial of service (DoS), or other exploits.

Information about this advisory is available at the following locations:

<http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6335>
<http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6336>

F5 Product Development tracked this issue as CR91792 for FirePass, and it was fixed in version 6.0.3. For information about upgrading, refer to the FirePass Release Notes.

Obtaining and installing patches

You can download patches from the F5 Networks Downloads page for the following products and versions:

Product	Version	Hotfix	Installation File
FirePass	5.5.0	hotfix-91792	HF-91792-1-5.5-ALL-0.tar.gz.enc
FirePass	5.5.1	hotfix-91792	HF-91792-1-5.51-ALL-0.tar.gz.enc
FirePass	5.5.2	hotfix-91792	HF-91792-1-5.52-ALL-0.tar.gz.enc
FirePass	6.0.1	hotfix-91792	HF-91792-1-6.01-ALL-0.tar.gz.enc
FirePass	6.0.2	hotfix-90387-91792	HF-90387-91792-1-6.02-ALL-0.tar.gz.enc

Note: For more information about installing the hotfixes listed above, refer to the README file on the F5 Downloads site for your version-specific hotfix.

CPENameOperatorVersion
big-ip afmeq11.3.0
big-ip analyticseq11.0.0
big-ip analyticseq11.1.0
big-ip analyticseq11.2.0
big-ip analyticseq11.2.1
big-ip analyticseq11.3.0
big-ip apmeq10.1.0
big-ip apmeq10.2.0
big-ip apmeq10.2.1
big-ip apmeq10.2.2

Name	Operator	Version
big-ip afm	eq	11.3.0
big-ip analytics	eq	11.0.0
big-ip analytics	eq	11.1.0
big-ip analytics	eq	11.2.0
big-ip analytics	eq	11.2.1
big-ip analytics	eq	11.3.0
big-ip apm	eq	10.1.0
big-ip apm	eq	10.2.0
big-ip apm	eq	10.2.1
big-ip apm	eq	10.2.2