CVE-2004-2276

Vulnerability

F-Secure Anti-Virus versions 5.41 and 5.42 on Windows, Client Security 5.50 and 5.52, 4.60 for Samba Servers, and 4.52 and earlier for Linux incorrectly scan PKZip archives, failing to detect certain viruses such as Sober.D and Sober.G [1]. This allows the viruses to remain undetected during initial scanning of the archive.

Exploitation

An attacker can craft a PKZip archive containing the Sober.D or Sober.G virus and deliver it to a target system via email, download, or other means. When the F-Secure product scans the archive, it fails to detect the malicious payload due to the flawed archive parsing [1]. No special privileges or network position beyond the ability to deliver the archive is needed.

Impact

Successful exploitation results in the virus not being detected by the antivirus software, allowing the virus to execute and potentially compromise the system. The impact includes information disclosure, system instability, and further propagation, consistent with the behavior of the Sober family of worms [1].

Mitigation

F-Secure has released hotfixes for affected products. Users should update to the latest versions as recommended by F-Secure [1]. Specific hotfixes are available for the Linux version and other affected platforms. No workaround is mentioned in the available references.