The remote host is affected by the vulnerability described in GLSA-200709-14 (ClamAV: Multiple vulnerabilities)

    Nikolaos Rangos discovered a vulnerability in ClamAV which exists     because the recipient address extracted from email messages is not     properly sanitized before being used in a call to 'popen()' when     executing sendmail (CVE-2007-4560). Also, NULL pointer dereference     errors exist within the 'cli_scanrtf()' function in libclamav/rtf.c and     Stefanos Stamatis discovered a NULL pointer dereference vulnerability     within the 'cli_html_normalise()' function in libclamav/htmlnorm.c     (CVE-2007-4510).
  Impact :

    The unsanitized recipient address can be exploited to execute arbitrary     code with the privileges of the clamav-milter process by sending an     email with a specially crafted recipient address to the affected     system. Also, the NULL pointer dereference errors can be exploited to     crash ClamAV. Successful exploitation of the latter vulnerability     requires that clamav-milter is started with the 'black hole' mode     activated, which is not enabled by default.
  Workaround :

    There is no known workaround at this time.

The remote host appears to be running a version of Clamav-milter, a filter for sendmail, configured with '--black-hole-mode' that fails to sanitize recipient addresses of shell metacharacters before using them in a call to 'popen()' to determine whether to discard incoming messages.  An unauthenticated, remote attacker can leverage this issue to execute arbitrary code, typically as root.

リモートホストでは、sendmailのフィルタであるClamav-milterバージョンが「--black-hole-mode」に構成されて実行されているようです。この構成により、シェルのメタ文字の受信者アドレスが、着信メッセージを破棄するかどうかを判断する「popen（）」の呼び出しで使用する前にサニタイズできません。認証されていないリモート攻撃者は、この問題を利用して、リモートホストで通常、rootとして任意のコードを実行できます。

遠端主機執行的 Clamav-milter (sendmail 篩選器) 版本似乎設定為「--black-hole-mode」，其無法清理 shell 詮釋字元的收件者位址，便將其用於「popen()」的呼叫中，藉此判斷是否要捨棄傳入訊息。未經驗證的遠端攻擊者可利用此問題以 Root 身分執行任意程式碼。

远程主机似乎正在运行某个版本的 Clamav-milter，这是一款适用于 sendmail 的过滤器，采用“--black-hole-mode”配置，该过滤器无法审查 shell 元字符的收件人地址，便将其用于调用“popen()”以确定是否为丢弃传入消息。未经身份验证的远程攻击者可利用此问题在执行任意代码（通常以根权限）。

A vulnerability in ClamAV was discovered that could allow remote attackers to cause a denial of service via a crafted RTF file or a crafted HTML document with a data: URI, both of which trigger a NULL dereference (CVE-2007-4510).

A vulnerability in clamav-milter, when run in black hole mode, could allow remote attackers to execute arbitrary commands via shell metacharacters that are used in a certain popen call (CVE-2007-4560).

Other bugs have also been corrected in 0.91.2 which is being provided with this update.

- Sat Aug 25 2007 Enrico Scholz <enrico.scholz at     informatik.tu-chemnitz.de> - 0.91.2-2

    - fixed an open(2) issue

  - Sat Aug 25 2007 Enrico Scholz <enrico.scholz at     informatik.tu-chemnitz.de> - 0.91.2-1

    - updated to 0.91.2 (SECURITY) :

    - CVE-2007-4510 DOS in RTF parser

    - DOS in html normalizer

    - arbitrary command execution by special crafted       recipients in clamav-milter's black-hole mode

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several remote vulnerabilities have been discovered in the Clam anti-virus toolkit. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2007-4510     It was discovered that the RTF and RFC2397 parsers can     be tricked into dereferencing a NULL pointer, resulting     in denial of service.

  - CVE-2007-4560     It was discovered that clamav-milter performs     insufficient input sanitising, resulting in the     execution of arbitrary shell commands.

The oldstable distribution (sarge) is only affected by a subset of the problems. An update will be provided later.

The remote host is running a version of Mac OS X 10.5 or 10.4 that does not have the security update 2008-002 applied. 

This update contains several security fixes for a number of programs.

The remote host is running the ClamAV anti-virus client.

This version of ClamAV is vulnerable to multiple denial of service (DoS) attacks when handling malformed files.  An attacker exploiting this flaw would only need the ability to send an email to the vulnerable system.  Successful exploitation would result in the application crashing.  

ID	名稱	產品	系列	已發布	已更新	嚴重性
26104	GLSA-200709-14 : ClamAV: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	2007/9/24	2021/1/6	high
29830	ClamAV clamav-milter black-hole-mode Sendmail Recipient Field Arbitrary Command Execution	Nessus	SMTP problems	2008/1/3	2022/4/11	high
29830	ClamAV lamav-milter black-hole-modeの Sendmail Recipientフィールドの任意コマンド実行	Nessus	SMTP problems	2008/1/3	2022/4/11	high
29830	ClamAV clamav-milter black-hole-mode Sendmail 收件者欄位存在任意命令執行弱點	Nessus	SMTP problems	2008/1/3	2022/4/11	high
29830	ClamAV clamav-milter Black-hole-mode Sendmail 收件人字段任意命令执行	Nessus	SMTP problems	2008/1/3	2022/4/11	high
25969	Mandrake Linux Security Advisory : clamav (MDKSA-2007:172)	Nessus	Mandriva Local Security Checks	2007/9/3	2021/1/6	high
27747	Fedora 7 : clamav-0.91.2-2.fc7 (2007-2050)	Nessus	Fedora Local Security Checks	2007/11/6	2021/1/11	high
25966	Debian DSA-1366-1 : clamav - several vulnerabilities	Nessus	Debian Local Security Checks	2007/9/3	2021/1/4	high
31605	Mac OS X Multiple Vulnerabilities (Security Update 2008-002)	Nessus	MacOS X Local Security Checks	2008/3/19	2018/7/14	critical
4183	ClamAV < 0.91.2 Multiple Remote DoS (deprecated)	Nessus Network Monitor	Web Clients	2007/8/22	2019/3/6	high

偵測

搜尋 Plugin

high

high

high

high

high

high

high

high

critical

high