Security Advisories

FSC-2006-6: OPENSSL DENIAL OF SERVICE VULNERABILITY

Description

OpenSSL has released a security advisory on several vulnerabilities on OpenSSL. These vulnerabilities in OpenSSL can cause Denial of Service Attacks, buffer overflows or client crashes. F-Secure products are only affected by the possible ASN.1-related DoS attacks. (CVE-2006-2937)


OpenSSL released a security advisory on September 28th 2006 concerning four security issues. F-Secure Anti-Virus for Microsoft Exchange and F-Secure Internet Gatekeeper use OpenSSL; however, only the ASN.1 Denial of Service Attack vulnerability (CVE-2006-2937) affects our products.

Versions of F-Secure Anti-Virus for Microsoft Exchange and F-Secure Internet Gatekeeper use OpenSSL in the administrator web interface. By default the access to the web interface is accepted only from the same host but it can be configured to be also accessible from the network.

A fixed version has been made available to our customers using F-Secure Anti-Virus for Exchange or F-Secure Internet Gatekeeper. To solve the problem apply the appropriate hotfix or update the product.

Please note that F-Secure Anti-Virus for Microsoft Exchange 6.61 is not affected by these vulnerabilities.


Possible Scenarios

  • Scenario 1
    Default configuration. Web Console is configured by default to accept connections only from the local host.
    Risk Level: Medium
    There is a possibility to exploit the vulnerabilities from the local host. To solve the problem apply the appropriate hotfix and/or update the product.
  • Scenario 2
  • Web Console is configured to allow connections from specific/trusted hosts.
    Risk Level: Medium
    There is a possibility to exploit the vulnerabilities from the hosts that are on the trusted hosts list. To solve the problem apply the appropriate hotfix and/or update the product.
  • Scenario 3
  • The Web Console is configured to allow connections from all hosts.
    Risk Level: Critical
    There is a possibility to exploit the vulnerabilities from the local host. To solve the problem apply the appropriate hotfix and/or update the product.

 

Affected Products


Risk Level: MEDIUM (Low/Medium/High/Critical)

  • F-Secure Anti-Virus for Microsoft Exchange 6.40 and 6.60
  • F-Secure Internet Gatekeeper 6.40, 6.41, 6.42, 6.50 and 6.60

 

Platforms

Windows Server 2003 64-bit edition for x64 processors

 

Mitigating Factors

Web Console for F-Secure Anti-Virus for Microsoft Exchange and F-Secure Internet Gatekeeper are configured by default to accept local host connections only. This means that it is possible to access the Web Console only from the local machine.

 

Mitigating Factor

An attacker will need to gain access to victim's computer prior to exploiting the vulnerability.


Patch Available

Product Versions Hotfix ID
F-Secure Anti-Virus for Microsoft Exchange 6.60 Upgrade to F-Secure Anti-Virus for Microsoft Exchange 6.61
F-Secure Anti-Virus for Microsoft Exchange 6.40 Apply hotfix for F-Secure Anti-Virus for Microsoft Exchange 6.40: 
F-Secure Internet Gatekeeper 6.60 Apply hotfix for the F-Secure Internet Gatekeeper 6.60: 
F-Secure Internet Gatekeeper 6.40, 6.41, 6.42, 6.50 Upgrade to F-Secure Internet Gatekeeper 6.60 and apply hotfix: 

 

 

Date Issued: 2006-11-29
Last Updated: 2006-11-29

Get
Support

For documentation and product support,
visit our support site.

Learn More

F-Secure Community

Give advice. Get advice. Share the knowledge
on our free discussion forum.

Visit Now