FSC-2007-5: Scan Bypass Vulnerabilities with LHA & RAR Archives
Brief Description
Specially crafted archives and packed executables set antivirus scanning to loop.
Specially crafted archives and packed executables allow attacker to create denial-of-service condition in F-Secure antivirus solutions, by causing a loop in file scanning.
These products listed above contain the described vulnerabilities. However recent antivirus database updates have automatically fixed both of the mentioned issues, without any intervention needed by the user/administrator.
Affected Platforms
All platforms supported by the affected products
Products
Risk Level: LOW (Low/Medium/High/Critical)
Clients
F-Secure Anti-Virus for Workstations version 7.00 and earlier
F-Secure Anti-Virus for Windows Servers version 7.00 and earlier
F-Secure Anti-Virus for Citrix Servers version 5.52
F-Secure Anti-Virus for MIMEsweeper version 5.61 and earlier
F-Secure Client Security version 7.00 and earlier
F-Secure Anti-Virus for MS Exchange version 7.00 and earlier
F-Secure Internet Gatekeeper version 6.60 and earlier
F-Secure Internet Security 2005, 2006 and 2007
F-Secure Anti-Virus 2005, 2006 and 2007
Solutions based on F-Secure Protection Service for Consumers version 7.00 and earlier
F-Secure Anti-Virus for Linux Servers version 4.65 and earlier
F-Secure Anti-Virus for Linux Gateways version 4.65 and earlier
F-Secure Linux Client Security 5.52 and earlier
F-Secure Linux Server Security 5.52 and earlier
F-Secure Internet Gatekeeper for Linux 2.16 and earlier
F-Secure Internet Security 2005, 2006 and 2007
F-Secure Anti-Virus 2005, 2006 and 2007
Solutions based on F-Secure Protection Service for Consumers version 7.00 and earlier
F-Secure Anti-Virus for Workstations 7.00 and earlier
F-Secure Anti-Virus Client Security version 7.00 and earlier
F-Secure Anti-Virus for Windows Servers 7.00 and earlier
F-Secure Anti-Virus for Citrix Servers version 5.52 and earlier
F-Secure Anti-Virus for MIMEsweeper 5.61 and earlier
F-Secure Internet Gatekeeper 6.60 and earlier
F-Secure Anti-Virus for MS Exchange version 7.00 and earlier
F-Secure Anti-Virus Linux Server Security 5.52 and earlier
F-Secure Anti-Virus for Linux Servers version 4.65 and earlier
F-Secure Anti-Virus for Linux Gateways version 4.65 and earlier
F-Secure Internet Gatekeeper for Linux 2.16
Mitigating Factors
Exploitation of the vulnerabilities requires specially crafted archives or packed executables. Vulnerability in archive scanning concerns only those products that scan inside archives by default. These issues have been fixed automatically in F-Secure database updates. This applies all the affected product versions with the exception of deployments not using automatic or automated scripts for the updates.
Credit
F-Secure wants to thank Sergio Alvarez in n.runs AG for reporting these issues.
Patch Available
| Product | Versions | Hotfix ID | Download |
|---|---|---|---|
| F-Secure Internet Security 2005 - 2007 | 2005 - 2007 | - | Fixed automatically in database updates. |
| F-Secure Anti-Virus 2005 - 2007 | 2005 - 2007 | - | Fixed automatically in database updates. |
| F-Secure Protection Service for Consumers | 7.00 and earlier | - | Fixed automatically in database updates. |
| F-Secure Anti-Virus for Workstations | 5.44 - 7.00 | - | Fixed automatically in database updates. |
| F-Secure Anti-Virus Client Security | 6.00 - 7.00 | - | Fixed automatically in database updates. |
| F-Secure Anti-Virus for Windows Servers | 5.52 - 7.00 | - | Fixed automatically in database updates. |
| F-Secure Anti-Virus for Citrix Servers | 5.50 - 5.52 | - | Fixed automatically in database updates. |
| F-Secure Anti-Virus for MIMEsweeper | 5.61 | - | Fixed automatically in database updates. |
| F-Secure Anti-Virus for MS Exchange | 6.40 - 6.62 | - | Fixed automatically in database updates. |
| F-Secure Internet Gatekeeper | 6.60 | - | Fixed automatically in database updates. |
| F-Secure Anti-Virus for Linux Servers | 4.64 - 4.65 | - | Fixed automatically in database updates. |
| F-Secure Anti-Virus for Linux Gateways | 4.64 - 4.65 | - | Fixed automatically in database updates. |
| F-Secure Anti-Virus Linux Client Security | 5.30 - 5.52 | - | Fixed automatically in database updates. |
| F-Secure Anti-Virus Linux Server Security | 5.30 - 5.52 | - | Fixed automatically in database updates. |
| F-Secure Internet Gatekeeper for Linux | 2.16 | - | Fixed automatically in database updates |
Date Issued: 2007-05-22
Last Updated: 2007-05-30
2007 Security advisories
- FSC-2007-6: EXE & Packed File Scanning Vulnerabilities (2007-09-27)
- FSC-2007-5: Scan Bypass Vulnerabilities with LHA & RAR Archives (2007-06-19
- FSC-2007-4: Denial of Service Vulnerability in F-Secure Policy Manager Server host module (2007-05-30)
- FSC-2007-3: EXE & Packed File Scanning Vulnerabilities (2007-05-30)
- FSC-2007-2: IOCTL Vulnerability in Real-time Scanning Component (2007-05-30)
- FSC-2007-1: Buffer Overflow Vulnerability in Handling LHA Archives (2007-05-30)
