FSC-2006-6: OpenSSL Denial of Service Vulnerability
Brief Description
OpenSSL has released a security advisory on several vulnerabilities on OpenSSL. These vulnerabilities in OpenSSL can cause Denial of Service Attacks, buffer overflows or client crashes. F-Secure products are only affected by the possible ASN.1-related DoS attacks. (CVE-2006-2937)
OpenSSL released a security advisory on September 28th 2006 concerning four security issues. F-Secure Anti-Virus for Microsoft Exchange and F-Secure Internet Gatekeeper use OpenSSL; however, only the ASN.1 Denial of Service Attack vulnerability (CVE-2006-2937) affects our products.
Versions of F-Secure Anti-Virus for Microsoft Exchange and F-Secure Internet Gatekeeper use OpenSSL in the administrator web interface. By default the access to the web interface is accepted only from the same host but it can be configured to be also accessible from the network.
A fixed version has been made available to our customers using F-Secure Anti-Virus for Exchange or F-Secure Internet Gatekeeper. To solve the problem apply the appropriate hotfix or update the product.
Please note that F-Secure Anti-Virus for Microsoft Exchange 6.61 is not affected by these vulnerabilities.
Possible Scenarios
Scenario 1
Default configuration. Web Console is configured by default to accept connections only from the local host.
Risk Level: Medium
There is a possibility to exploit the vulnerabilities from the local host. To solve the problem apply the appropriate hotfix and/or update the product.
Scenario 2
Web Console is configured to allow connections from specific/trusted hosts.
Risk Level: Medium
There is a possibility to exploit the vulnerabilities from the hosts that are on the trusted hosts list. To solve the problem apply the appropriate hotfix and/or update the product.
Scenario 3
The Web Console is configured to allow connections from all hosts.
Risk Level: Critical
There is a possibility to exploit the vulnerabilities from the local host. To solve the problem apply the appropriate hotfix and/or update the product.
Affected Platforms
Windows Server 2003 64-bit edition for x64 processors
Products
Risk Level: MEDIUM (Low/Medium/High/Critical)
F-Secure Anti-Virus for Microsoft Exchange 6.40 and 6.60
F-Secure Internet Gatekeeper 6.40, 6.41, 6.42, 6.50 and 6.60
Mitigating Factors
Web Console for F-Secure Anti-Virus for Microsoft Exchange and F-Secure Internet Gatekeeper are configured by default to accept local host connections only. This means that it is possible to access the Web Console only from the local machine.
Patch Available
| Product | Versions | Hotfix ID | Download |
|---|---|---|---|
| F-Secure Anti-Virus for Microsoft Exchange | 6.60 | Upgrade to F-Secure Anti-Virus for Microsoft Exchange 6.61 | |
| F-Secure Anti-Virus for Microsoft Exchange | 6.40 | Apply hotfix for F-Secure Anti-Virus for Microsoft Exchange 6.40: | |
| F-Secure Internet Gatekeeper | 6.60 | Apply hotfix for the F-Secure Internet Gatekeeper 6.60: | |
| F-Secure Internet Gatekeeper | 6.40, 6.41, 6.42, 6.50 | Upgrade to F-Secure Internet Gatekeeper 6.60 and apply hotfix: |
Date Issued: 2006-11-29
Last Updated: 2006-11-29
2006 Security Advisories
- FSC-2006-6: OpenSSL Denial of Service Vulnerability (2006-11-29)
- FSC-2006-5: Deeply Nested Malformed MIME Denial of Service Attack (2006-07-14)
- FSC-2006-4: Scanning Bypass Vulnerability (2006-06-28)
- FSC-2006-3: Buffer overflow in Web Console of F-Secure Anti-Virus (2006-06-01)
- FSC-2006-2: Sendmail MTA Security Vulnerability (2006-03-28)
- FSC-2006-1: Code Execution Vulnerability in ZIP and RAR Archive Handling (2006-01-19)
