Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > May 2005 > Vet Anti-virus Engine heap overflow vulnerability

May 2005

Vet Anti-virus Engine heap overflow vulnerability

ID: 00445
Ref: 412/2005
Date: 26 May 2005:21:00:09
Version: 1
Title: Vet Anti-virus Engine heap overflow vulnerability
Abstract: A vulnerability has been identified in the Computer Associates Vet Anti-virus engine.
UNIRAS have been made aware of a vulnerability in the Computer Associates Vet Anti-virus
engine. UNIRAS delayed publication of this information until patches became widely
available.

The Computer Associates Vet Anti-Virus engine is used in multiple Anti-Virus Software
(AVS) products, including some AVS solutions provided by ISPs. UNIRAS recommends
users to patch any affected software. If you are unsure as whether you may be affected
please consult you AVS provider.

At present, the following products are known to be affected (listed by company):

COMPUTER ASSOCIATES
Computer Associates: BrightStor ARCserve Backup (BAB) r11.1 Windows
Computer Associates: eTrust Antivirus 6.0 Linux
Computer Associates: eTrust Antivirus 6.0 Notes/Exchange
Computer Associates: eTrust Antivirus 6.0 Solaris
Computer Associates: eTrust Antivirus 6.0 Windows 95/98/ME
Computer Associates: eTrust Antivirus 6.0 Windows NT/2000/XP
Computer Associates: eTrust Antivirus 6.0 Windows NT/2000/XP SP1
Computer Associates: eTrust Antivirus 6.0 Windows NT/2000/XP SP2
Computer Associates: eTrust Antivirus 7.0 Notes/Exchange
Computer Associates: eTrust Antivirus 7.0 Solaris
Computer Associates: eTrust Antivirus 7.0 Windows 95/98/ME
Computer Associates: eTrust Antivirus 7.0 Windows NT/2000/XP
Computer Associates: eTrust Antivirus 7.1 Notes/Exchange
Computer Associates: eTrust Antivirus 7.1 Solaris
Computer Associates: eTrust Antivirus 7.1 Windows NT/2000/XP
Computer Associates: eTrust Antivirus for the Gateway 7.0
Computer Associates: eTrust Antivirus for the Gateway r7.1
Computer Associates: eTrust EZ Antivirus 7
Computer Associates: eTrust EZ Antivirus 7.0.0
Computer Associates: eTrust EZ Antivirus 7.0.1
Computer Associates: eTrust EZ Antivirus 7.0.1.4
Computer Associates: eTrust EZ Antivirus 7.0.2
Computer Associates: eTrust EZ Antivirus 7.0.2.1
Computer Associates: eTrust EZ Antivirus 7.0.3
Computer Associates: eTrust EZ Antivirus 7.0.4
Computer Associates: eTrust EZ Antivirus 7.0.5
Computer Associates: eTrust Intrusion Detection 1.4.1.13
Computer Associates: eTrust Intrusion Detection 2.0
Computer Associates: eTrust Intrusion Detection 2.0 SP1
Computer Associates: eTrust Intrusion Detection 3.0
Computer Associates: eTrust Intrusion Detection 3.0SP1
Computer Associates: eTrust Secure Content Manager 1.0
Computer Associates: eTrust Secure Content Manager 1.0 SP1
Computer Associates: eTrust Secure Content Manager 1.1
Computer Associates: InoculateIT 6.0

Vendor advisory:
"Computer Associates has patched a high-risk vulnerability that was identified by
Alex Wheeler. The vulnerability can allow an attacker to gain control of a computer
through a carefully crafted Microsoft Office document."
http://crm.my-etrust.com/CIDocument.asp?KDId=1588&GUID=27DB59236134463B8C94D72C83B9EAF5

Security advisory:
"Computer Associates Vet Antivirus engine contains a vulnerability that may
allow remote attackers to execute arbitrary code. The vulnerability is due to
improper integer bounds checking performed when analyzing the OLE stream. Remote
attackers can exploit this vulnerability to cause a heap overflow and execute
arbitrary code."
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=32896



ZONELABS
ZoneAlarm Security Suite
ZoneAlarm AntiVirus

Vendor advisory:
"A security vulnerability existed in the anti-virus engine of specific
versions of ZoneAlarm Anti-Virus and ZoneAlarm Security Suite
(ZoneAlarm and ZoneAlarm Pro are not affected.)"

"To update your ZoneAlarm Anti-virus or Security Suite product:
1. Select Antivirus
2. In the Status area, choose the Update Now option
3. Select Overview | Product Info and verify that the Antivirus
Vet engine version is 11.9.1 or higher"
http://www.zonelabs.com



FURTHER INFORMATION
Additional information may be found on the following sites:

INTERNET STORM CENTRE
"As this library is used in personal firewall suites like CA's eZ Armor and
ZoneLab's ZoneAlarm, I am recommending that this issue be addressed quickly.
(This issue conjures up some not-so-fond memories involving the criticality of
the Blackice ICQ parser problem used by the Witty worm last year.)"
http://isc.sans.org/diary.php?date=2005-05-24
http://isc.sans.org/diary.php?date=2005-05-25


SECUNIA
"The vulnerability is caused due to an integer overflow in the Vet Antivirus Engine
(VetE.dll) when analysing OLE streams. This can be exploited to cause a heap-based
buffer overflow via e.g. a specially crafted Microsoft Office document."
- CA Multiple Products Vet Antivirus Engine Buffer Overflow
http://secunia.com/advisories/15470/
- Zonelabs ZoneAlarm Vet Antivirus Engine Buffer Overflow
http://secunia.com/advisories/15479/
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |