Vulnerability

    KAV for sendmail

Affected

    KAV for sendmail 3.5.135.2

Description

    3APA3A found following. *KAV  is a "Kaspersky AntiVirus"  formerly
    known as AVP.  KAV for sendmail is antiviral product of  Kaspersky
    Lab's  KAV  suit  (formerly  known   as  AVP)  one  of  very   few
    commercially  available  multiplatform   antiviral  products   for
    servers,  workstations,  CVP   Firewalls  and  messaging   systems
    (Exchange,  Lotus,  Sendmail,  QMail,  Postfix) under DOS, Windows
    95/98/ME/NT/2000, OS/2, Linux, FreeBSD, BSDI and soon for  Solaris
    (feel free  to contact  support@kaspersky.com if  you need  it for
    different platform).

    While testing this software by permission of Kaspersky Lab, format
    string bug was found in syslog() call in avpkeeper

        /usr/local/share/AVP/avpkeeper/avpkeeper

    utility, which  is launched  from sendmail  to scan  and desinfect
    messages.  Intruders can  cause Denial of Service  and potentially
    can  execute  code  remotely  with  root or group mail privileges,
    depending on sendmail installation (code execution is not trivial,
    if  possible,  because  format  string  must  conform RFC 821/2821
    e-mail address requirements to bypass sendmail).

Solution

    Kaspersky  Lab  was  contacted  on  May,  30.  Patched version was
    delivered in 24  hours, but no  alerts were sent  to users and  no
    fixes were made  available for public  download.  Vendor  was also
    informed on few potential local race conditions with mktemp()  and
    mkdtemp().

    Workaround is to diasable syslog.  In avpkeeper.ini set

        usesyslog=no

    Since  AVP  for  Unix  products  are  not  open source and are not
    available for free  download please contact  support@kaspersky.com
    to get patches  for registered version  of KAV/AVP or  to get demo
    version for testing.