F-Secure
Tools
Security Advisory FSC-2006-6
OpenSSL denial of service vulnerability in F-Secure Anti-Virus for Microsoft Exchange and F-Secure Internet Gatekeeper
| Date issued | 2006-11-29 |
|---|---|
| Last updated | 2006-11-29 |
| Risk factor | Medium (Low/Medium/High/Critical) |
| Brief description | OpenSSL has released a security advisory on several vulnerabilities on OpenSSL. These vulnerabilities in OpenSSL can cause Denial of Service Attacks, buffer overflows or client crashes. F-Secure products are only affected by the possible ASN.1-related DoS attacks. (CVE-2006-2937) Versions of F-Secure Anti-Virus for Microsoft Exchange and F-Secure Internet Gatekeeper use OpenSSL in the administrator web interface. By default the access to the web interface is accepted only from the same host but it can be configured to be also accessible from the network. |
| Software | F-Secure Anti-Virus for Microsoft Exchange F-Secure Internet Gatekeeper |
| Affected versions | F-Secure Anti-Virus for Microsoft Exchange 6.40 and 6.60 F-Secure Internet Gatekeeper 6.40, 6.41, 6.42, 6.50 and 6.60 |
| Affected platforms | Windows Server 2003 64-bit edition for x64 processors |
| Advisory location | http://www.f-secure.com/security/fsc-2006-6.shtml |
| Issue | OpenSSL released a security advisory on September 28th 2006 concerning four security issues. The OpenSSL Advisory is located at http://www.openssl.org/news/secadv_20060928.txt. F-Secure Anti-Virus for Microsoft Exchange and F-Secure Internet Gatekeeper use OpenSSL. The OpenSSL announcement lists four different vulnerabilities. Only ASN.1 Denial of Service Attacks (CVE-2006-2937) affects our products. Other vulnerabilities (CVE-2006-2940, CVE-2006-3738 and CVE-2006-4343) do not affect F-Secure products. A fixed version has been made available to our customers using F-Secure Anti-Virus for Exchange or F-Secure Internet Gatekeeper. To solve the problem apply the appropriate hotfix or update the product. Please note that F-Secure Anti-Virus for Microsoft Exchange 6.61 is not affected by these vulnerabilities. |
| Products | F-Secure Anti-Virus for Microsoft Exchange 6.40 and 6.60 F-Secure Internet Gatekeeper 6.40, 6.41, 6.42, 6.50 and 6.60 |
| Scenario 1 | Default configuration. Web Console is configured by default to accept connections only from the local host. |
| Risk factor | Medium There is a possibility to exploit the vulnerabilities from the local host. To solve the problem apply the appropriate hotfix and/or update the product. |
| Scenario 2 | Web Console is configured to allow connections from specific/trusted hosts. |
| Risk factor | Medium There is a possibility to exploit the vulnerabilities from the hosts that are on the trusted hosts list. To solve the problem apply the appropriate hotfix and/or update the product. |
| Scenario 3 | The Web Console is configured to allow connections from all hosts. |
| Risk factor | Critical There is a possibility to exploit the vulnerabilities from the local host. To solve the problem apply the appropriate hotfix and/or update the product. |
| Mitigating factors |
|
Available patches:
| Product | Versions | Hotfix ID | Download |
|---|---|---|---|
| F-Secure Anti-Virus for Microsoft Exchange | 6.60 | Upgrade to F-Secure Anti-Virus for Microsoft Exchange 6.61 | |
| F-Secure Anti-Virus for Microsoft Exchange | 6.40 | Apply hotfix for F-Secure Anti-Virus for Microsoft Exchange 6.40: ftp://ftp.f-secure.com/support/hotfix/fsav-mse/fsavmse640-06.zip or update to version 6.61. | |
| F-Secure Internet Gatekeeper | 6.60 | Apply hotfix for the F-Secure Internet Gatekeeper 6.60: ftp://ftp.f-secure.com/support/hotfix/fsig/fsigk660-02.zip | |
| F-Secure Internet Gatekeeper | 6.40, 6.41, 6.42, 6.50 | Upgrade to F-Secure Internet Gatekeeper 6.60 and apply hotfix: ftp://ftp.f-secure.com/support/hotfix/fsig/fsigk660-02.zip | |
| Revision history | FSC-2006-6 / 2006-11-29 |
|---|
Contact information:
Support: http://www.f-secure.com/en_EMEA/support/