CVE-2012-1458
published 2012-03-21CVE-2012-1458: The Microsoft CHM file parser in ClamAV 0.96.4 and Sophos Anti-Virus 4.61.0 allows remote attackers to bypass malware detection via a crafted reset interval in…
PriorityP335medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EPSS
73.74%
99.4th percentile
The Microsoft CHM file parser in ClamAV 0.96.4 and Sophos Anti-Virus 4.61.0 allows remote attackers to bypass malware detection via a crafted reset interval in the LZXC header of a CHM file. NOTE: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different CHM parser implementations.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| clamav | clamav | — | — |
| clamav | clamav | >= 0 < 0.97.5+dfsg-1 | 0.97.5+dfsg-1 |
| clamav | clamav | >= 0 < 0.97.5+dfsg-1 | 0.97.5+dfsg-1 |
| clamav | clamav | >= 0 < 0.97.5+dfsg-1 | 0.97.5+dfsg-1 |
| clamav | clamav | >= 0 < 0.97.5+dfsg-1 | 0.97.5+dfsg-1 |
| debian | clamav | < clamav 0.97.5+dfsg-1 (bookworm) | clamav 0.97.5+dfsg-1 (bookworm) |
| sophos | sophos_anti-virus | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Malware evasion via crafted reset interval in the LZXC header of a CHM file — inspect CHM files for anomalous LZXC reset interval values to detect bypass attempts against AV parsers ↗
- →Attack vector is a specially-crafted CHM file delivered remotely; CHM files containing malware may evade detection in ClamAV 0.96.4 and Sophos Anti-Virus 4.61.0 — treat CHM files from untrusted sources as high-risk pending parser update ↗
- ·Vulnerability confirmed in ClamAV 0.96.4; unclear whether it persisted into later versions prior to 0.97.5 — upgrade to 0.97.5 or later to remediate ↗
- ·Also affects Sophos Anti-Virus 4.61.0 in addition to ClamAV 0.96.4; may be split into separate CVEs if parsers are found to have failed independently ↗
- ·ClamAV 0.97.5 fix package introduced a regression that could cause scan failures on certain documents — verify regression fix (USN-1482-3) is also applied ↗
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv4.3MEDIUM
vendor_debian4.3LOW
vendor_ubuntu4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
ClamAV regression
vendor_ubuntu·2012-08-16·CVSS 4.3
[MEDIUM] ClamAV regression
Title: ClamAV regression
Summary: USN-1482-1 introduced a regression in ClamAV that could cause it to fail
to scan certain documents.
USN-1482-1 fixed vulnerabilities in ClamAV. The updated package could
fail to properly scan files in some situations. This update fixes
the problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that ClamAV incorrectly handled certain malformed TAR
archives. A remote attacker could create a specially-crafted TAR file
containing malware that could escape being detected. (CVE-2012-1457,
CVE-2012-1459)
It was discovered that ClamAV incorrectly handled certain malformed CHM
files. A remote attacker could create a specially-crafted CHM file
containing malware that could escape being detected. (CVE-2012-1458)
Instructions:
Ubuntu
ClamAV regression
vendor_ubuntu·2012-06-20·CVSS 4.3
[MEDIUM] ClamAV regression
Title: ClamAV regression
Summary: ClamAV could improperly detect malware if it opened a specially crafted file.
USN-1482-1 fixed vulnerabilities in ClamAV. The updated packages could fail
to install in certain situations. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that ClamAV incorrectly handled certain malformed TAR
archives. A remote attacker could create a specially-crafted TAR file
containing malware that could escape being detected. (CVE-2012-1457,
CVE-2012-1459)
It was discovered that ClamAV incorrectly handled certain malformed CHM
files. A remote attacker could create a specially-crafted CHM file
containing malware that could escape being detected. (CVE-2012-1458)
Instructions: In general, a standard system
Ubuntu
ClamAV vulnerabilities
vendor_ubuntu·2012-06-19·CVSS 4.3
CVE-2012-1457 [MEDIUM] ClamAV vulnerabilities
Title: ClamAV vulnerabilities
Summary: ClamAV could improperly detect malware if it opened a specially crafted
file.
It was discovered that ClamAV incorrectly handled certain malformed TAR
archives. A remote attacker could create a specially-crafted TAR file
containing malware that could escape being detected. (CVE-2012-1457,
CVE-2012-1459)
It was discovered that ClamAV incorrectly handled certain malformed CHM
files. A remote attacker could create a specially-crafted CHM file
containing malware that could escape being detected. (CVE-2012-1458)
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2012-1458: clamav - The Microsoft CHM file parser in ClamAV 0.96.4 and Sophos Anti-Virus 4.61.0 allo...
vendor_debian·2012·CVSS 4.3
CVE-2012-1458 [MEDIUM] CVE-2012-1458: clamav - The Microsoft CHM file parser in ClamAV 0.96.4 and Sophos Anti-Virus 4.61.0 allo...
The Microsoft CHM file parser in ClamAV 0.96.4 and Sophos Anti-Virus 4.61.0 allows remote attackers to bypass malware detection via a crafted reset interval in the LZXC header of a CHM file. NOTE: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different CHM parser implementations.
Scope: local
bookworm: resolved (fixed in 0.97.5+dfsg-1)
bullseye: resolved (fixed in 0.97.5+dfsg-1)
forky: resolved (fixed in 0.97.5+dfsg-1)
sid: resolved (fixed in 0.97.5+dfsg-1)
trixie: resolved (fixed in 0.97.5+dfsg-1)
GHSA
GHSA-x2x7-346g-h5gv: The Microsoft CHM file parser in ClamAV 0
ghsa_unreviewed·2022-05-14
CVE-2012-1458 [MEDIUM] GHSA-x2x7-346g-h5gv: The Microsoft CHM file parser in ClamAV 0
The Microsoft CHM file parser in ClamAV 0.96.4 and Sophos Anti-Virus 4.61.0 allows remote attackers to bypass malware detection via a crafted reset interval in the LZXC header of a CHM file. NOTE: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different CHM parser implementations.
OSV
CVE-2012-1458: The Microsoft CHM file parser in ClamAV 0
osv·2012-03-21·CVSS 4.3
CVE-2012-1458 [MEDIUM] CVE-2012-1458: The Microsoft CHM file parser in ClamAV 0
The Microsoft CHM file parser in ClamAV 0.96.4 and Sophos Anti-Virus 4.61.0 allows remote attackers to bypass malware detection via a crafted reset interval in the LZXC header of a CHM file. NOTE: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different CHM parser implementations.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2012-1458 clamav: specially-crafted CHM files evade detection
bugzilla·2012-03-22·CVSS 4.3
CVE-2012-1458 [MEDIUM] CVE-2012-1458 clamav: specially-crafted CHM files evade detection
CVE-2012-1458 clamav: specially-crafted CHM files evade detection
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-1458 to
the following vulnerability:
Name: CVE-2012-1458
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1458
Assigned: 20120229
Reference: BUGTRAQ:20120319 Evasion attacks expoliting file-parsing vulnerabilities in antivirus products
Reference: http://www.securityfocus.com/archive/1/522005
Reference: http://www.ieee-security.org/TC/SP2012/program.html
The Microsoft CHM file parser in ClamAV 0.96.4 and Sophos Anti-Virus
4.61.0 allows remote attackers to bypass malware detection via a
crafted reset interval in the LZXC header of a CHM file. NOTE: this
may later be SPLIT into multiple CVEs if additional information is
published showing that the
Bugzilla
CVE-2012-1419 CVE-2012-1443 CVE-2012-1457 CVE-2012-1458 CVE-2012-1459 clamav various flaws [epel-all]
bugzilla·2012-03-22·CVSS 4.3
CVE-2012-1419 [MEDIUM] CVE-2012-1419 CVE-2012-1443 CVE-2012-1457 CVE-2012-1458 CVE-2012-1459 clamav various flaws [epel-all]
CVE-2012-1419 CVE-2012-1443 CVE-2012-1457 CVE-2012-1458 CVE-2012-1459 clamav various flaws [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/u
Bugzilla
CVE-2012-1419 CVE-2012-1443 CVE-2012-1457 CVE-2012-1458 CVE-2012-1459 clamav various flaws [fedora-all]
bugzilla·2012-03-22·CVSS 4.3
CVE-2012-1419 [MEDIUM] CVE-2012-1419 CVE-2012-1443 CVE-2012-1457 CVE-2012-1458 CVE-2012-1459 clamav various flaws [fedora-all]
CVE-2012-1419 CVE-2012-1443 CVE-2012-1457 CVE-2012-1458 CVE-2012-1459 clamav various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org
http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00002.htmlhttp://osvdb.org/80473http://osvdb.org/80474http://www.ieee-security.org/TC/SP2012/program.htmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2012:094http://www.securityfocus.com/archive/1/522005http://www.securityfocus.com/bid/52611https://exchange.xforce.ibmcloud.com/vulnerabilities/74301http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00002.htmlhttp://osvdb.org/80473http://osvdb.org/80474http://www.ieee-security.org/TC/SP2012/program.htmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2012:094http://www.securityfocus.com/archive/1/522005http://www.securityfocus.com/bid/52611https://exchange.xforce.ibmcloud.com/vulnerabilities/74301
2012-03-21
Published