Realtime surgemail9/9/2023 ![]() : Avast replies that all versions and all product ranges are affected, however "There's currently no plan to release a special patch for this as our risk assessment makes it a very low priority issue.".: Asked for patch time line and affected version.: Reply that the POC works as expected and asked why there has been no reaction to previous notifications.: Avast replies quoting the mail sent on the and claims that this is a non issue because the POC would not correctly decompress. ![]() : Release of this advisory and begin of grace period.This time two known contact adresses that were previously used to report vulnerabilities were used: reply. : Resending specifying this is the last attempt to disclose reponsibly.There is no security adress listed at and hence took the industry standard security contacts addresses and reply. : Send proof of concept, description the terms under which I cooperate and the planned disclosure date.There is no inspection of the content at all. The bug results in denying the engine the possibility to inspect code within the RAR archive. Details are currently witheld.Ī general description of the impact and nature of AV Bypasses/evasions can be read at : The parsing engine can be bypassed by a specially crafted and formated RAR archive. It provides complete server and desktop virus protection." Quote: "Comprehensive network security solution for corporate customers certified and tested by ICSA and Checkmark. NetWin Software - SurgeMail Email Server.TN North Software - Interner Anywhere eMailServer.avast! for Linux/Unix Server (impact high, complete bypass).avast! Distributed Network Manager (impact high, complete bypass).avast! 4 Lotus Domino Edition (impact high, complete bypass).avast! 4 SMTP Server Edition (impact high, complete bypass).avast! 4 SharePoint Server Edition (impact high, complete bypass).avast! 4 ISA Server Edition (impact high, complete bypass).avast! 4 Exchange Server Edition (impact high, complete bypass).avast! 4 Server Edition(impact high, complete bypass).avast! Linux Home Edition (impact unknown).avast! WHS Edition (impact low, reason real-time protection).avast! Pro Family pack (impact low, reason real-time protection).avast! 4 Home Edition (impact low, reason real-time protection).avast! 4 Professional (impact low, reason real-time protection).You are encouraged to read the time line and draw your own conclusions. I recommend that existing customers that care about their overall security posture (enterprise) should contact avast and ask for a patch. Update : After the reaction from avast, it is clear that all versions and products are affected, however there is no plan to patch.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |