SA65 : ProxyAV buffer overflow in libpng (CVE-2010-1205)
1238
03 March 2020
02 December 2011
CLOSED
HIGH
CVSS v2: 7.5
SUMMARY
ProxyAV uses a version of libpng that is vulnerable to a buffer overflow attack. This vulnerability could allow a remote attacker to read and modify ProxyAV data.
AFFECTED PRODUCTS
All versions of ProxyAV prior to 3.4.1.1 are vulnerable.
Patches
- ProxyAV 3.4 - a fix is available in 3.4.1.1.
- ProxyAV 3.3 - a fix is avialable in 3.3.2.1.
- ProxyAV 3.2 and earlier - please upgrade to a later version.
ISSUES
CVE-2010-1205 - CVSS v2 base score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
ProxyAV uses libpng version 1.2.8 to generate statistical graphs in PNG format. This version of libpng is vulnerable to a buffer overflow attack. It is possible that a remote attacker could execute arbitrary code on ProxyAV through this library that would run with escalated privileges.
ProxyAV 3.4.1.1 contains an upgrade to libpng version 1.2.46 fixing this CVE.
MITIGATION
Deploying ProxyAV behind a firewall and adding constraints on what IP addresses can be used to connect to ProxyAV will greatly limit the ability to attack a ProxyAV installation.
REFERENCES
CVE-2010-1205 - https://nvd.nist.gov/vuln/detail/CVE-2010-1205
REVISION
2012-12-10 Notification of fix for 3.3
2011-12-02 Initial public release