Intrusion Prevention

Base64.Encoded.Image.Virus.Detection.Bypass

Description

This indicates an attack attempt against a bypass-virus-scanning vulnerability in multiple vendor anti-virus gateway products.
The vulnerability is caused by an error when the vulnerable software handles base64-encoded images. It allows a remote attacker to bypass virus scanning via sending a crafted URIs.

Affected Products

Trend Micro WebProtect 3.1
Trend Micro InterScan Messaging Security Suite 5.5
Trend Micro InterScan Messaging Security Suite 3.81
TippingPoint Unity-One with Digital Vacine 2.0.0.2070
McAfee Webshield 3000 4.3.20
MandrakeSoft Linux Mandrake 10.1 x86_64
MandrakeSoft Linux Mandrake 10.1
MandrakeSoft Corporate Server 3.0 x86_64
MandrakeSoft Corporate Server 3.0
IronPort IronPort with Sophos AV Engine 3.88
Internet Security Systems SiteProtector 2.0 SP3
Internet Security Systems SiteProtector 2.0.4.561
Clam Anti-Virus ClamAV 0.81
Clam Anti-Virus ClamAV 0.80 rc4
Clam Anti-Virus ClamAV 0.80 rc3
Clam Anti-Virus ClamAV 0.80 rc2
Clam Anti-Virus ClamAV 0.80 rc1
Clam Anti-Virus ClamAV 0.80
Clam Anti-Virus ClamAV 0.70
Clam Anti-Virus ClamAV 0.68 -1
Clam Anti-Virus ClamAV 0.68
Clam Anti-Virus ClamAV 0.67
Clam Anti-Virus ClamAV 0.65
Clam Anti-Virus ClamAV 0.60
Clam Anti-Virus ClamAV 0.54
Clam Anti-Virus ClamAV 0.53
Clam Anti-Virus ClamAV 0.52
Clam Anti-Virus ClamAV 0.51
Check Point Software FireWall-1 R55 HFA08 with SmartDefense
ALT Linux ALT Linux Junior 2.3
ALT Linux ALT Linux Compact 2.3

Impact

System compromise: Bypass virus scanning.

Recommended Actions

Upgrade to the latest version of the vulnerable software or firmware.

CVE References

CVE-2005-0218