|Check Point Reference:||CPAI-2015-0282|
|Date Published:||26 Mar 2015|
|Last Updated:||26 Mar 2015|
|Protection Provided by:||
|Who is Vulnerable?|
|Vulnerability Description||The SOFTWIN BitDefender Antivirus (AV) product is an anti-virus scanner capable of on-demand as well as email scanning operations. The AV scanner logs by default all results of scans that it performs on the host machine. The logs include positive as well negative virus pattern matches. There exists a format string vulnerability in BitDefender Antivirus product. The flaw is caused by improper validation of file names when printing logging information. By delivering files with crafted names to a vulnerable target, a remote attacker may leverage this vulnerability to bypass the detection for further attacks or execute arbitrary code. In a case of an unsuccessful code injection attack, the current scanning process will terminate unexpectedly, the functionality of the Anti-Virus product as a whole will not be affected. The AV application will not produce any log entries as a result of its unexpected termination. The attacker may utilize this issue to bypass the scanning of a known virus file when the scan accessed files option in the AV application setting is disabled. A successful attack aiming at code injection and execution will divert the process flow of the vulnerable application. This will result in arbitrary code execution. The behaviour of the target system is dependent on the intention of the injected code.|
This protection will detect and block attempts to exploit this vulnerability.
In order for the protection to be activated,
update your Security Gateway product to the latest IPS update.
For information on how to update IPS, go to
Protection tab and select the version of your choice.
SmartView Tracker will log the following entries:
Attack Name: HTTP Protocol Inspection.
Attack Information: BitDefender Antivirus Logging Function Format String - Ver2