Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Product Security

FSC-2006-1: Code Execution Vulnerability in ZIP and RAR Archive Handling

 

Brief Description

Specially crafted ZIP archives may be used to execute code on affected systems. Both RAR- and ZIP-archives can in addition be crafted to avoid successful scanning and obfuscate malicious code in the archive.

It is possible to create specially crafted ZIP archives that cause a buffer overflow. This allows an attacker to execute code of his choice on affected systems. It is in addition possible to create malformed RAR- and ZIP-archives that cannot be scanned properly. This can lead to a false negative scan result.

 

Affected Platforms   

All platforms supported by the affected products
 

Products

Risk Level: CRITICAL (Low/Medium/High/Critical)

•  F-Secure Anti-Virus for Workstation version 5.44 and earlier
•  F-Secure Anti-Virus for Windows Servers version 5.52 and earlier
•  F-Secure Anti-Virus for Citrix Servers version 5.52
•  F-Secure Anti-Virus for MIMEsweeper version 5.61 and earlier
•  F-Secure Anti-Virus Client Security version 6.01 and earlier
•  F-Secure Anti-Virus for MS Exchange version 6.40 and earlier
•  F-Secure Internet Gatekeeper version 6.42 and earlier
•  F-Secure Anti-Virus for Firewalls version 6.20 and earlier

Notes for F-Secure Anti-Virus for Workstations 5.44 and earlier, F-Secure Anti-Virus for Linux Workstations version 4.52 and earlier and F-Secure Anti-Virus Linux Client Security 5.11 and earlier

These products contain the vulnerability but successful exploration requires the user to scan the exploit with archive scanning enabled. This can happen for example during on-demand scanning or if the on-access scanner's settings have been changed. The on-access scanner is not vulnerable in its default configuration. F-Secure recommends all users of these products to install the hotfix or upgrade to a version that is not affected (if available).
 

Risk Level: CRITICAL (Low/Medium/High/Critical)

•  F-Secure Anti-Virus for Linux Workstations version 4.52 and earlier
•  F-Secure Anti-Virus for Linux Servers version 4.64 and earlier
•  F-Secure Anti-Virus for Linux Gateways version 4.64 and earlier
•  F-Secure Anti-Virus for Samba Servers version 4.62
•  F-Secure Anti-Virus Linux Client Security 5.11 and earlier
•  F-Secure Anti-Virus Linux Server Security 5.11 and earlier F-Secure Internet Gatekeeper for Linux 2.14 and earlier

 

Risk Level: CRITICAL (Low/Medium/High/Critical)

•  F-Secure Internet Security 2004, 2005 and 2006
•  F-Secure Anti-Virus 2004, 2005 and 2006
•  Solutions based on F-Secure Personal Express version 6.20 and earlier

Notes
These products contain the vulnerability but hotfixes are distributed automatically by the delivery system. Users of these products do not need to take any action. This means that virtually all affected systems in this category will be patched automatically shortly after publication of this advisory.
 

Risk Level: CRITICAL (Low/Medium/High/Critical)

•  F-Secure Anti-Virus for Workstations 5.44 and earlier
•  F-Secure Anti-Virus for Linux Workstations version 4.52 and earlier
•  F-Secure Anti-Virus Linux Client Security 5.11 and earlier

Notes
These products contain the vulnerability but successful exploration requires the user to scan the exploit with archive scanning enabled. This can happen for example during on-demand scanning or if the on-access scanner's settings have been changed. The on-access scanner is not vulnerable in its default configuration. F-Secure recommends all users of these products to install the hotfix or upgrade to a version that is not affected (if available).
 

Risk Level: CRITICAL (Low/Medium/High/Critical)

•  F-Secure Anti-Virus Client Security version 6.01 and earlier

Notes
This product contains e-mail scanning functionality. This module is vulnerable in its default configuration. This fact makes it more likely that an attack against this product will succeed compared to other affected client products. The on-access scanner in this product is not vulnerable in its default configuration. F-Secure recommends all users of these products to install the hotfix or upgrade to a version that is not affected (if available).
 

Risk Level: CRITICAL (Low/Medium/High/Critical)

Server and gateway products

•  F-Secure Anti-Virus for Windows Servers 5.52 and earlier
•  F-Secure Internet Gatekeeper 6.42 and earlier
•  F-Secure Anti-Virus for Firewalls 6.20 and earlier
•  F-Secure Anti-Virus for MS Exchange version 6.40 and earlier
•  F-Secure Anti-Virus Linux Server Security 5.11 and earlier
•  F-Secure Anti-Virus for Linux Servers version 4.64 and earlier
•  F-Secure Anti-Virus for Linux Gateways version 4.64 and earlier
•  F-Secure Anti-Virus for Samba Servers 4.62
•  F-Secure Internet Gatekeeper for Linux 2.14

Notes for server and gateway products
Gateway installations that scan web (HTTP, FTP) and mail (SMTP, POP) traffic are vulnerable. These machines are typically scanning a large number of archive files with the scan inside archives setting enabled. Server products that are configured to use scheduled on-demand scans are also likely to be vulnerable. This makes products in this category the most likely target for attacks. F-Secure recommends all users of the mentioned gateway and server products to install the hotfix or upgrade to a version that is not affected (if available).
 

Risk Level: CRITICAL (Low/Medium/High/Critical)

•  F-Secure Anti-Virus for MIMEsweeper 5.61 and earlier

Notes
This product is vulnerable but the Clearswift MIMEsweeper product performs the archive handling under normal circumstances. The vulnerability can however be exploited if the product is used to scan the local system or if MIMEsweeper fails to recognize an archive correctly and passes it on to the F-Secure scanner. F-Secure recommends users to apply the hotfix or upgrade to a later version (if available).

 

Mitigating Factors

A fix for the problem has been distributed through the malware definition database update channel. This advisory only affects systems that, for some reason, are not updated automatically.
 

Credit

F-Secure thanks Thierry Zoller (http://www.zoller.lu) for bringing this issue to our attention.
 

Patch Available

Product Versions Hotfix ID Download
F-Secure Internet Security 2004 - 2006   Hotfix distributed automatically.
F-Secure Anti-Virus 2004 - 2006   Hotfix distributed automatically.
F-Secure Personal Express 6.20 and earlier Hotfix distributed automatically.
F-Secure Anti-Virus for Workstations 5.42 - 5.44 fsavwk620-02 ftp://ftp.f-secure.com/support/hotfix/fsavcs/fsavwk620-02-signed.fsfix
F-Secure Anti-Virus Client Security version 5.54 - 6.01 fsavwk620-02 ftp://ftp.f-secure.com/support/hotfix/fsavcs/fsavwk620-02-signed.fsfix
F-Secure Anti-Virus for Windows Servers 5.42 - 5.52 fsavsr552-05 ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsavsr552-05-signed.fsfix
F-Secure Anti-Virus for Citrix Servers 5.50 - 5.52 fsavsr552-05 ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsavsr552-05-signed.fsfix
F-Secure Anti-Virus for MIMEsweeper 5.42 - 5.61 fsavsr552-05 ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsavsr552-05-signed.fsfix
F-Secure Anti-Virus for MS Exchange 6.01 fscss631-07 ftp://ftp.f-secure.com/support/hotfix/fsav-mse/fscss631-07.zip
F-Secure Anti-Virus for MS Exchange 6.40 fsavmse640-03 ftp://ftp.f-secure.com/support/hotfix/fsav-mse/fsavmse640-03.zip
F-Secure Internet Gatekeeper 6.42 fsigk642-02 ftp://ftp.f-secure.com/support/hotfix/fsig/fsigk642-02.zip
F-Secure Anti-Virus for Linux Servers 4.63-4.64 Updated binary ftp://ftp.f-secure.com/support/hotfix/fsav-linux/fsav-fsigk-linux-FSC-2006-1-hotfix.tgz
F-Secure Anti-Virus for Linux Gateways 4.63-4.64 Updated binary ftp://ftp.f-secure.com/support/hotfix/fsav-linux/fsav-fsigk-linux-FSC-2006-1-hotfix.tgz
F-Secure Anti-Virus for Samba Servers 4.62 Updated binary ftp://ftp.f-secure.com/support/hotfix/fsav-linux/fsav-fsigk-linux-FSC-2006-1-hotfix.tgz
F-Secure Anti-Virus Linux Client Security 5.00 - 5.04 Updated binary ftp://ftp.f-secure.com/support/hotfix/fsav-linux/fsav-fsigk-linux-FSC-2006-1-hotfix.tgz
F-Secure Anti-Virus Linux Client Security 5.10 - 5.11 Updated binary ftp://ftp.f-secure.com/support/hotfix/fsav-linux/fsav-fsigk-linux-FSC-2006-1-hotfix.tgz
F-Secure Anti-Virus Linux Server Security 5.00 - 5.04 Updated binary ftp://ftp.f-secure.com/support/hotfix/fsav-linux/fsav-fsigk-linux-FSC-2006-1-hotfix.tgz
F-Secure Anti-Virus Linux Server Security 5.10 - 5.11 Updated binary ftp://ftp.f-secure.com/support/hotfix/fsav-linux/fsav-fsigk-linux-FSC-2006-1-hotfix.tgz
F-Secure Internet Gatekeeper for Linux 2.10 - 2.14 Updated binary ftp://ftp.f-secure.com/support/hotfix/fsav-linux/fsav-fsigk-linux-FSC-2006-1-hotfix.tgz

Date Issued: 2006-01-19
Last Updated: 2006-01-28

Get Support online

For documentation and product support, visit our Support site.

 

F-Secure Community

 
Give advice. Get advice. Share the knowledge on our free discussion forum.