{"vuid":"VU#361180","idnumber":"361180","name":"McAfee Scan Engine vulnerable to buffer overflow in LHA decoder","keywords":["McAfee","buffer overflow","specially crafted","LHA","AV scanning engine"],"overview":"A buffer overflow vulnerability in the McAfee Virus Scan Engine may allow a remote attacker to execute arbitrary code on an affected system. Because the vulnerability exists in a core component, a number of different McAfee products are affected.","clean_desc":"The McAfee Antivirus products feature the ability to detect malicious code in a number of compressed files, including those in the LHA format. A buffer overflow error has been discovered in the way that the McAfee Scan Engine handles the \"type 2\" headers in an LHA file. A remote attacker with the ability to craft a specifically malfomed LHA file may be able to exploit this vulnerability by introducing the malformed LHA file to an affected system via a web or FTP server, email message, or file server. McAfee lists the following products as being potentially vulnerable to this issue, depending on the version of the scan engine they use: McAfee InternetSecurity Suite\nVirusScan (all versions)\nVirusScan Professional\nActive Mail Protection\nActive Threat Protection\nActive Virus Defense SMB Edition\nActive VirusScan SMB Edition\nGroupShield for Exchange\nGroupShield for Exchange 5.5\nGroupShield for Lotus Domino\nGroupShield for Mail Servers with ePO\nLinuxShield\nManaged VirusScan\nNetShield for Netware\nPortalShield for Microsoft SharePoint\nSecurityShield for Microsoft ISA Server\nVirex\nVirusScan ASaP\nVirusScan Command Line\nVirusScan Enterprise 8.0i\nVirusScan for NetApp\nWebShield Appliances\nWebShield SMTP","impact":"An unauthenticated remote attacker may be able to execute code of their choosing on a vulnerable system. The attacker-supplied code would be run with Local System privileges, resulting in a complete system compromise.","resolution":"Apply an update from the vendor McAfee has published updated versions of the Scan Engine (version 4400 - released November 2004) and DAT file (version 4436 - released March 1, 2005)  to address this vulnerability. Users are encouraged to review the McAfee FAQ and McAfee advisory on this issue and update their products accordingly.","workarounds":"","sysaffected":"","thanks":"The CERT/CC credits Alex Wheeler of the \nISS X-Force\n with the discovery of this vulnerability.","author":"This document was written by Chad R Dougherty based upon information provided by McAfee and ISS.","public":["http://xforce.iss.net/xforce/alerts/id/190","http://secunia.com/advisories/14628/","http://www.securityfocus.com/bid/12832","http://www.securitytracker.com/alerts/2005/Mar/1013463.html"],"cveids":["CVE-2005-0644"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2005-03-18T16:35:19Z","publicdate":"2005-03-18T00:00:00Z","datefirstpublished":"2005-03-18T20:25:32Z","dateupdated":"2005-03-21T19:07:42Z","revision":6,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"14","cam_population":"15","cam_impact":"19","cam_easeofexploitation":"8","cam_attackeraccessrequired":"18","cam_scorecurrent":"22.3155","cam_scorecurrentwidelyknown":"26.163","cam_scorecurrentwidelyknownexploited":"41.553","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":22.3155,"vulnote":null}