Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Product Security

FSC-2007-2: IOCTL Vulnerability in Real-time Scanning Component

 

Brief Description

IOCTL (Input/Output Control) vulnerability in Real-time Scanning component may allow an attacker to gain elevated privileges to the system.

An attacker with local access to the system may gain elevated privileges to the system via specially crafted IRP (I/O request packet). This privilege escalation becomes possible due to improper access validation of the address space used by Real-time Scanning.

These products contain the vulnerability but hotfixes are distributed automatically by the delivery system. Users of these products do not need to take any action. This means that virtually all affected systems in this category will be patched automatically shortly after publication of this advisory.
 

Affected Platforms   

All platforms supported by the affected products
 

Products

Risk Level: MEDIUM (Low/Medium/High/Critical)

F-Secure Anti-Virus for Workstation version 5.44 and earlier
F-Secure Anti-Virus for Windows Servers version 5.52 and earlier
F-Secure Anti-Virus for Citrix Servers version 5.52 and earlier
F-Secure Anti-Virus for MIMEsweeper version 5.61 and earlier
F-Secure Anti-Virus Client Security version 6.03 and earlier
F-Secure Internet Security 2005, 2006 and 2007
F-Secure Anti-Virus 2005, 2006 and 2007
Solutions based on F-Secure Protection Service for Consumers version 6.40 and earlier
F-Secure Anti-Virus for Workstations 5.44 and earlier*
F-Secure Anti-Virus Client Security version 6.03 and earlier*
F-Secure Anti-Virus for Windows Servers 5.52 and earlier*
F-Secure Anti-Virus for Citrix Servers version 5.52*

Notes for roducts marked *
Real-time Scanning (on-access scanning) is by default enabled in these products, making them vulnerable to this IOCTL vulnerability. F-Secure recommends all users of these products to install the hotfix or upgrade to a version that is not affected (if available).
 

Risk Level: LOW (Low/Medium/High/Critical)

F-Secure Anti-Virus for MIMEsweeper 5.61 and earlier

Notes
These systems are affected by the vulnerability but their main task is typically to filter mail traffic. The vulnerability only affects local use of the computer and the risk for infection is thus significantly lower. F-Secure recommends all users of the mentioned gateway and server products to install the hotfix or upgrade to a version that is not affected (if available).
 

Mitigating Factors

Exploitation of IOCTL vulnerability requires local access to the system. Exploitation is not straight-forward, it is only possible through a specially crafted IRP.
 

Credit

This vulnerability was found in an internal security audit, performed by F-Secure R&D.
 

Patch Available

 

Product Versions Hotfix ID Download
F-Secure Internet Security 2005 - 2007 2005 - 2007 - Hotfix distributed automatically, no user actions needed.
F-Secure Anti-Virus 2005 - 2007 2005 - 2007 - Hotfix distributed automatically, no user actions needed.
F-Secure Protection Service for Consumers 5.00 - 6.40 - Hotfix distributed automatically, no user actions needed.
F-Secure Anti-Virus for Workstations 5.44 fsavwk602-04 ftp://ftp.f-secure.com/support/hotfix/fsavcs/fsavwk602-04-signed.fsfix
F-Secure Anti-Virus Client Security 6.00 - 6.03 fsavwk602-04 ftp://ftp.f-secure.com/support/hotfix/fsavcs/fsavwk602-04-signed.fsfix
F-Secure Anti-Virus for Windows Servers 5.50 - 5.52 fsavsr552-11 ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsavsr552-11-signed.fsfix
F-Secure Anti-Virus for Citrix Servers 5.50 - 5.52 fsavsr552-11 ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsavsr552-11-signed.fsfix
F-Secure Anti-Virus for MIMEsweeper 5.61 fsavsr552-11 ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsavsr552-11-signed.fsfi

Date Issued: 2007-05-22
Last Updated: 2007-05-30

Get Support online

For documentation and product support, visit our Support site.

 

F-Secure Community

 
Give advice. Get advice. Share the knowledge on our free discussion forum.