Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Product Security

FSC-2007-1: Buffer Overflow Vulnerability in Handling LHA Archives

 

Brief Description

Several F-Secure products have a buffer overflow vulnerability in processing LHA archives. This may allow an attacker to execute arbitrary code or to create a denial-of-service condition. This vulnerability is related to a similar vulnerability in GZIP program's handling of LZH-compressed archives.

An attacker may create a specially crafted LHA archive, which then in its decompression phase exploits the described buffer overflow vulnerability, allowing arbitrary code to be executed or the exploit to create a denial-of-service condition. US-Cert description of GZIP vulnerability: http://www.kb.cert.org/vuls/id/381508

These products contain the vulnerability but hotfixes are distributed automatically by the delivery system. Users of these products do not need to take any action. This means that virtually all affected systems in this category will be patched automatically shortly after publication of this advisory.
 

Affected Platforms   

All platforms supported by the affected products
 

Products

Risk Level: CRITICAL (Low/Medium/High/Critical)

F-Secure Anti-Virus for Workstations version 5.44 and earlier
F-Secure Anti-Virus for Windows Servers version 5.52 and earlier
F-Secure Anti-Virus for Citrix Servers version 5.52
F-Secure Anti-Virus for MIMEsweeper version 5.61 and earlier
F-Secure Anti-Virus Client Security version 6.03 and earlier
F-Secure Anti-Virus for MS Exchange version 6.40 and earlier
F-Secure Internet Gatekeeper version 6.60 and earlier
F-Secure Internet Security 2005, 2006 and 2007
F-Secure Anti-Virus 2005, 2006 and 2007
Solutions based on F-Secure Protection Service for Consumers version 6.40 and earlier
F-Secure Anti-Virus for Linux Servers version 4.65 and earlier
F-Secure Anti-Virus for Linux Gateways version 4.65 and earlier
F-Secure Anti-Virus Linux Client Security 5.30 and earlier
F-Secure Anti-Virus Linux Server Security 5.30 and earlier
F-Secure Internet Gatekeeper for Linux 2.16 and earlier
 

Risk Level: HIGH (Low/Medium/High/Critical)

F-Secure Internet Security 2005, 2006 and 2007
F-Secure Anti-Virus 2005, 2006 and 2007
Solutions based on F-Secure Protection Service for Consumers version 6.40 and earlier
F-Secure Anti-Virus for Workstations 5.44 and earlier*
F-Secure Anti-Virus Linux Client Security 5.30 and earlier*
F-Secure Anti-Virus Client Security version 6.03 and earlier*

Notes for products marked *
These products contain the vulnerability but successful exploration requires the user to scan the exploit with archive scanning enabled. This can happen for example during on-demand scanning or if the on-access scanner's settings have been changed. The on-access scanner is not vulnerable in its default configuration.

F-Secure recommends all users of these products to install the hotfix or upgrade to a version that is not affected (if available).
 

Risk Level: CRITICAL (Low/Medium/High/Critical)

Servers & Gateways

F-Secure Anti-Virus for Windows Servers 5.52 and earlier
F-Secure Anti-Virus for Citrix Servers version 5.52 and earlier
F-Secure Internet Gatekeeper 6.60 and earlier
F-Secure Anti-Virus for MS Exchange version 6.40 and earlier
F-Secure Anti-Virus Linux Server Security 5.30 and earlier
F-Secure Anti-Virus for Linux Servers version 4.65 and earlier
F-Secure Anti-Virus for Linux Gateways version 4.65 and earlier
F-Secure Internet Gatekeeper for Linux 2.16
F-Secure Anti-Virus for MIMEsweeper 5.61 and earlier

Notes for Server & Gateway Products
Gateway installations that scan web (HTTP, FTP) and mail (SMTP, POP) traffic are vulnerable. These machines are typically scanning a large number of archive files with the scan inside archives setting enabled. Server products that are configured to use scheduled on-demand scans are also likely to be vulnerable. This makes products in this category the most likely target for attacks.

F-Secure recommends all users of the mentioned gateway and server products to install the hotfix or upgrade to a version that is not affected (if available).
 

Mitigating Factors

The vulnerability requires that the exploit is scanned with archive scanning enabled. This is typically the case in gateway environments and scheduled scans on servers. On-access scanning does not scan inside archives in a typical configuration. This makes successful exploration of the vulnerability less likely in client environments.

Clearswift MIMEsweeper handles archive extraction and this reduces the risk in environments that use F-Secure Anti-Virus for MIMEsweeper.
 

Credit

F-Secure wants to thank Tavis Ormandy in Google Security Team as original founder of this issue and Sergio Alvarez in n.runs AG for pinpointing another exploitation vector.
 

Patch Available

 

Product Versions Hotfix ID Download
F-Secure Internet Security 2005 - 2007 2005 - 2007 - Hotfix distributed automatically, no user actions needed.
F-Secure Anti-Virus 2005 - 2007 2005 - 2007 - Hotfix distributed automatically, no user actions needed.
F-Secure Protection Service for Consumers 5.00 - 6.40 - Hotfix distributed automatically, no user actions needed.
F-Secure Anti-Virus for Workstations 5.44 fsavwk602-04 ftp://ftp.f-secure.com/support/hotfix/fsavcs/fsavwk602-04-signed.fsfix
F-Secure Anti-Virus Client Security 6.00 - 6.03 fsavwk602-04 ftp://ftp.f-secure.com/support/hotfix/fsavcs/fsavwk602-04-signed.fsfix
F-Secure Anti-Virus for Windows Servers 5.50 - 5.52 fsavsr552-11 ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsavsr552-11-signed.fsfix
F-Secure Anti-Virus for Citrix Servers 5.50 - 5.52 fsavsr552-11 ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsavsr552-11-signed.fsfix
F-Secure Anti-Virus for MIMEsweeper 5.61 fsavsr552-11 ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsavsr552-11-signed.fsfix
F-Secure Anti-Virus for MS Exchange 6.01 6.01 fscss631-08 ftp://ftp.f-secure.com/support/hotfix/fsav-mse/fscss631-08.zip
F-Secure Anti-Virus for MS Exchange 6.40 6.40 Upgrade to latest version http://www.f-secure.com/webclub/fsavmse6.html
F-Secure Internet Gatekeeper 6.60 fsigk660-03 ftp://ftp.f-secure.com/support/hotfix/fsig/fsigk660-03.zip
F-Secure Anti-Virus for Linux Servers 4.64 - 4.65 New product build http://www.f-secure.com/webclub/fsavsrvl.html
F-Secure Anti-Virus for Linux Gateways 4.64 - 4.65 New product build http://www.f-secure.com/webclub/fsavgwl.html
F-Secure Linux Client Security 5.30 Upgrade to latest version http://www.f-secure.com/webclub/fscsl.html
F-Secure Anti-Virus Linux Server Security 5.30 Upgrade to latest version http://www.f-secure.com/webclub/fsssl.html
F-Secure Internet Gatekeeper for Linux 2.16 New product build http://www.f-secure.com/webclub/fsigkl.html

Date Issued: 2007-05-30
Last Updated: 2007-05-29

Get Support online

For documentation and product support, visit our Support site.

 

F-Secure Community

 
Give advice. Get advice. Share the knowledge on our free discussion forum.