ProxyAV buffer overflow in libpng (CVE-2010-1205)

Back to all Security AdvisoriesFollow
Security Advisories ID: 
SA65
Published Date: 
December 2, 2011
Advisory Status: 
Final
Advisory Severity: 
High
CVSS v2 base score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE Number: 
CVE-2010-1205 - CVSS v2 base score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

ProxyAV uses a version of libpng that is vulnerable to a buffer overflow attack. This vulnerability could allow a remote attacker to read and modify ProxyAV data.

Affected Products: 

All versions of ProxyAV prior to 3.4.1.1 are vulnerable

Advisory Details: 

ProxyAV uses libpng version 1.2.8 to generate statistical graphs in PNG format.  This version of libpng is vulnerable to a buffer overflow attack.  It is possible that a remote attacker could execute arbitrary code on ProxyAV through this library that would run with escalated privileges.

ProxyAV 3.4.1.1 contains an upgrade to libpng version 1.2.46 fixing this CVE.

Workarounds: 

Deploying ProxyAV behind a firewall and adding constraints on what IP addresses can be used to connect to ProxyAV will greatly limit the ability to attack a ProxyAV installation.

Patches: 

ProxyAV 3.4 - a fix is available in 3.4.1.1.  The fix is available to customers with a valid BlueTouch Online login from https://bto.bluecoat.com/download/product/4.

ProxyAV 3.3 - a fix is avialable in 3.3.2.1.  The fix is available to customers with a valid BlueTouch Online login from https://bto.bluecoat.com/download/product/4.

ProxyAV 3.2 and earlier - please upgrade to a later version.

Advisory History: 

2012-12-10 Notification of fix for 3.3

2011-12-02 Initial public release

Feedback