SOL8420 - ClamAV buffer overflow vulnerabilities - CVE-2007-6335, CVE-2007-6336

The FirePass controller can be configured to provide antivirus scanning of files uploaded through Portal Access. The software used to scan uploaded files is ClamAV open source software, which is enabled by selecting the Enable Standalone Virus Scanner button on theAntivirus tab of the Portal Access: Content Inspection page in the FirePass Administrative Console.

Multiple vulnerabilities in ClamAV versions prior to version 0.92 could allow an attacker to crash the ClamAV scanner process (daemon) or execute arbitrary code on the FirePass controller. In order to exploit this vulnerability, ClamAV scanning must be enabled in the FirePass controller and the attacker must be an authenticated FirePass user who uploads a specially crafted MEW packed Portable Executable (PE) file or a specially crafted MS-ZIP packed CAB file. Running arbitrary code on the FirePass controller could lead to further exploits, including unauthorized modification of files on the FirePass controller, remote administrative access to the FirePass controller, unauthorized disclosure of information, denial of service (DoS), or other exploits.

Information about this advisory is available at the following locations:

<http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6335&gt;
<http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6336&gt;

F5 Product Development tracked this issue as CR91792 for FirePass, and it was fixed in version 6.0.3. For information about upgrading, refer to the FirePass Release Notes.

Obtaining and installing patches

You can download patches from the F5 Networks Downloads page for the following products and versions:

Note: For more information about installing the hotfixes listed above, refer to the README file on the F5 Downloads site for your version-specific hotfix.