FSC-2007-2: IOCTL Vulnerability in Real-time Scanning Component
IOCTL (Input/Output Control) vulnerability in Real-time Scanning component may allow an attacker to gain elevated privileges to the system.
An attacker with local access to the system may gain elevated privileges to the system via specially crafted IRP (I/O request packet). This privilege escalation becomes possible due to improper access validation of the address space used by Real-time Scanning.
These products contain the vulnerability but hotfixes are distributed automatically by the delivery system. Users of these products do not need to take any action. This means that virtually all affected systems in this category will be patched automatically shortly after publication of this advisory.
All platforms supported by the affected products
Risk Level: MEDIUM (Low/Medium/High/Critical)
F-Secure Anti-Virus for Workstation version 5.44 and earlier
F-Secure Anti-Virus for Windows Servers version 5.52 and earlier
F-Secure Anti-Virus for Citrix Servers version 5.52 and earlier
F-Secure Anti-Virus for MIMEsweeper version 5.61 and earlier
F-Secure Anti-Virus Client Security version 6.03 and earlier
F-Secure Internet Security 2005, 2006 and 2007
F-Secure Anti-Virus 2005, 2006 and 2007
Solutions based on F-Secure Protection Service for Consumers version 6.40 and earlier
F-Secure Anti-Virus for Workstations 5.44 and earlier*
F-Secure Anti-Virus Client Security version 6.03 and earlier*
F-Secure Anti-Virus for Windows Servers 5.52 and earlier*
F-Secure Anti-Virus for Citrix Servers version 5.52*
Notes for roducts marked *
Real-time Scanning (on-access scanning) is by default enabled in these products, making them vulnerable to this IOCTL vulnerability. F-Secure recommends all users of these products to install the hotfix or upgrade to a version that is not affected (if available).
Risk Level: LOW (Low/Medium/High/Critical)
F-Secure Anti-Virus for MIMEsweeper 5.61 and earlier
These systems are affected by the vulnerability but their main task is typically to filter mail traffic. The vulnerability only affects local use of the computer and the risk for infection is thus significantly lower. F-Secure recommends all users of the mentioned gateway and server products to install the hotfix or upgrade to a version that is not affected (if available).
Exploitation of IOCTL vulnerability requires local access to the system. Exploitation is not straight-forward, it is only possible through a specially crafted IRP.
This vulnerability was found in an internal security audit, performed by F-Secure R&D.
|F-Secure Internet Security 2005 - 2007||2005 - 2007||-||Hotfix distributed automatically, no user actions needed.|
|F-Secure Anti-Virus 2005 - 2007||2005 - 2007||-||Hotfix distributed automatically, no user actions needed.|
|F-Secure Protection Service for Consumers||5.00 - 6.40||-||Hotfix distributed automatically, no user actions needed.|
|F-Secure Anti-Virus for Workstations||5.44||fsavwk602-04||ftp://ftp.f-secure.com/support/hotfix/fsavcs/fsavwk602-04-signed.fsfix|
|F-Secure Anti-Virus Client Security||6.00 - 6.03||fsavwk602-04||ftp://ftp.f-secure.com/support/hotfix/fsavcs/fsavwk602-04-signed.fsfix|
|F-Secure Anti-Virus for Windows Servers||5.50 - 5.52||fsavsr552-11||ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsavsr552-11-signed.fsfix|
|F-Secure Anti-Virus for Citrix Servers||5.50 - 5.52||fsavsr552-11||ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsavsr552-11-signed.fsfix|
|F-Secure Anti-Virus for MIMEsweeper||5.61||fsavsr552-11||ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsavsr552-11-signed.fsfi|
Date Issued: 2007-05-22
Last Updated: 2007-05-30
2007 Security advisories
- FSC-2007-6: EXE & Packed File Scanning Vulnerabilities (2007-09-27)
- FSC-2007-5: Scan Bypass Vulnerabilities with LHA & RAR Archives (2007-06-19
- FSC-2007-4: Denial of Service Vulnerability in F-Secure Policy Manager Server host module (2007-05-30)
- FSC-2007-3: EXE & Packed File Scanning Vulnerabilities (2007-05-30)
- FSC-2007-2: IOCTL Vulnerability in Real-time Scanning Component (2007-05-30)
- FSC-2007-1: Buffer Overflow Vulnerability in Handling LHA Archives (2007-05-30)