______________________________________________________________________ From the low-hanging-fruit-department - Nod32 CAB bypass/evasion ______________________________________________________________________ Release mode: Coordinated but limited disclosure. Ref : TZO-162009 - Nod32 CAB bypass/evasion WWW : http://blog.zoller.lu/2009/04/nod32-eset-cab-generic-evasion-limited.html Status : No patch, but mitigation recommendations (see below) Vendor : http://www.trendmicro.com/ Security notification reaction rating : Good Notification to patch time window : 14 days Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html Affected products : - ESET Smart Security 4 (update #4036) - ESET NOD32 Antivirus 4 (update #4036) - ESET Smart Security 4 Business Edition (update #4036) - ESET NOD32 Antivirus 4 Business Edition (update #4036) - ESET NOD32 Antivirus for Exchange Server (update #4036) - ESET Mail Security (update #4036) - ESET NOD32 Antivirus for Lotus Domino Server (update #4036) - ESET File Security (update #4036) - ESET Novell Netware (update #4036) - ESET DELL STORAGE SERVERS (update #4036) - ESET NOD32 Antivirus for Linux gateway devices (update #4036) I. Background ~~~~~~~~~~~~~ ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET NOD32® Antivirus, is the flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. http://www.eset.com/products/eset_performance_advantages.php II. Description ~~~~~~~~~~~~~~~ The parsing engine can be bypassed by a specially crafted and formated CAB archive. Details are currently witheld due to other vendors that are in process of deploying patches. III. Impact ~~~~~~~~~~~ A general description of the impact and nature of AV Bypasses/evasions can be read at : http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html The bug results in denying the engine the possibility to inspect code within the CAB archive. There is no inspection of the content at all. IV. Disclosure timeline ~~~~~~~~~~~~~~~~~~~~~~~~~ 13/04/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date No reply 17/04/2009 : Resend notification with an indication this will be the last attempt to responsibly disclose. 17/04/2009 : Eset acknowledges receipt and previous receipt 29/04/2009 : Eset informs me that the bug was fixed on the 27th of April through and auotmatic update (update #4036) 29/04/2009 : Release of this advisory