Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Product Security

FSC-2006-6: OpenSSL Denial of Service Vulnerability

 

Brief Description

OpenSSL has released a security advisory on several vulnerabilities on OpenSSL. These vulnerabilities in OpenSSL can cause Denial of Service Attacks, buffer overflows or client crashes. F-Secure products are only affected by the possible ASN.1-related DoS attacks. (CVE-2006-2937)

OpenSSL released a security advisory on September 28th 2006 concerning four security issues. F-Secure Anti-Virus for Microsoft Exchange and F-Secure Internet Gatekeeper use OpenSSL; however, only the ASN.1 Denial of Service Attack vulnerability (CVE-2006-2937) affects our products.

Versions of F-Secure Anti-Virus for Microsoft Exchange and F-Secure Internet Gatekeeper use OpenSSL in the administrator web interface. By default the access to the web interface is accepted only from the same host but it can be configured to be also accessible from the network.

A fixed version has been made available to our customers using F-Secure Anti-Virus for Exchange or F-Secure Internet Gatekeeper. To solve the problem apply the appropriate hotfix or update the product.

Please note that F-Secure Anti-Virus for Microsoft Exchange 6.61 is not affected by these vulnerabilities.


Possible Scenarios

Scenario 1
Default configuration. Web Console is configured by default to accept connections only from the local host.

Risk Level: Medium
There is a possibility to exploit the vulnerabilities from the local host. To solve the problem apply the appropriate hotfix and/or update the product.

Scenario 2
Web Console is configured to allow connections from specific/trusted hosts.

Risk Level: Medium
There is a possibility to exploit the vulnerabilities from the hosts that are on the trusted hosts list. To solve the problem apply the appropriate hotfix and/or update the product.

Scenario 3
The Web Console is configured to allow connections from all hosts.

Risk Level: Critical
There is a possibility to exploit the vulnerabilities from the local host. To solve the problem apply the appropriate hotfix and/or update the product.
 

Affected Platforms   

Windows Server 2003 64-bit edition for x64 processors
 

Products

Risk Level: MEDIUM (Low/Medium/High/Critical)

F-Secure Anti-Virus for Microsoft Exchange 6.40 and 6.60
F-Secure Internet Gatekeeper 6.40, 6.41, 6.42, 6.50 and 6.60
 

Mitigating Factors

Web Console for F-Secure Anti-Virus for Microsoft Exchange and F-Secure Internet Gatekeeper are configured by default to accept local host connections only. This means that it is possible to access the Web Console only from the local machine.
 

Patch Available

 

Product Versions Hotfix ID Download
F-Secure Anti-Virus for Microsoft Exchange 6.60 Upgrade to F-Secure Anti-Virus for Microsoft Exchange 6.61
F-Secure Anti-Virus for Microsoft Exchange 6.40 Apply hotfix for F-Secure Anti-Virus for Microsoft Exchange 6.40: 
F-Secure Internet Gatekeeper 6.60 Apply hotfix for the F-Secure Internet Gatekeeper 6.60: 
F-Secure Internet Gatekeeper 6.40, 6.41, 6.42, 6.50 Upgrade to F-Secure Internet Gatekeeper 6.60 and apply hotfix: 

Date Issued: 2006-11-29
Last Updated: 2006-11-29

Get Support online

For documentation and product support, visit our Support site.

 

F-Secure Community

 
Give advice. Get advice. Share the knowledge on our free discussion forum.