Security Advisories

FSC-2008-1: CAB & RAR ARCHIVE SCANNING VULNERABILITIES

Description

Specially crafted CAB and RAR archives can bypass antivirus scanning.

Affected Products


Clients

Risk Level: MEDIUM (Low/Medium/High/Critical)

User is able to move infected archives to and from client, but client does not get infected.
  • F-Secure Internet Security 2008
  • F-Secure Internet Security 2007 Second Edition
  • F-Secure Internet Security 2007
  • F-Secure Internet Security 2006
  • F-Secure Anti-Virus 2008
  • F-Secure Anti-Virus 2007 Second Edition
  • F-Secure Anti-Virus 2007
  • F-Secure Anti-Virus 2006
  • F-Secure Client Security 7.10
  • F-Secure Client Security 7.01
  • F-Secure Anti-Virus Client Security 6.04
  • F-Secure Anti-Virus Client Security 6.03
  • F-Secure Anti-Virus for Workstations 7.10
  • F-Secure Anti-Virus for Workstations 7.00
  • F-Secure Anti-Virus for Workstations 5.44
  • F-Secure Anti-Virus Linux Client Security 5.53
  • F-Secure Anti-Virus Linux Client Security 5.52
  • F-Secure Anti-Virus for Linux 4.65
  • Solutions based on F-Secure Protection Service for Consumers version 7.00 and earlier
  • Solutions based on F-Secure Protection Service for Business version 3.00 and earlier

Servers

Risk Level: MEDIUM (Low/Medium/High/Critical)

User is able to move infected content to and from servers
  • F-Secure Anti-Virus for Windows Servers 7.00
  • F-Secure Anti-Virus for Windows Servers 5.52
  • F-Secure Anti-Virus for Citrix Servers 5.52
  • F-Secure Anti-Virus Linux Server Security 5.53
  • F-Secure Anti-Virus Linux Server Security 5.52

Gateways

Risk Level: CRITICAL (Low/Medium/High/Critical)

The gateway passes archives unscanned.
  • F-Secure Anti-Virus for Microsoft Exchange 7.0
  • F-Secure Anti-Virus for Microsoft Exchange 6.62
  • F-Secure Internet Gatekeeper 6.61, Windows
  • F-Secure Internet Gatekeeper for Linux 2.16
  • F-Secure Anti-Virus for MIMEsweeper 5.61
  • F-Secure Messaging Security Gateway 4.0.7 and earlier

 

Platforms

All supported platforms

 

Mitigating Factors

Exploitation of these vulnerabilities requires specially crafted archives. The CAB issue has been fixed automatically in F-Secure database updates, while fixing the RAR archive scanning requires installing the hotfix below.

Client software catches hostile content after CAB/RAR container is opened thus making infection impossible. Server software does not scan by default CAB/RAR packed content. When the container is opened the exposed content is scanned thus making infection impossible.

Server software does not scan by default CAB/RAR packed content. When the container is opened the exposed content is scanned thus making infection impossible.

 

Patch Available

Product Versions Download
F-Secure Anti-Virus Client Security 6.03
6.04
ftp://ftp.f-secure.com/support/hotfix/fsavcs/fsavwk604-01-signed.fsfix
F-Secure Client Security 7.01-7.10 ftp://ftp.f-secure.com/support/hotfix/fsavcs/fsav741-02-signed.fsfix
F-Secure Anti-Virus for Workstations 5.44 ftp://ftp.f- secure.com/support/hotfix/fsav/fsavwk572-01-signed.fsfix
F-Secure Anti-Virus for Workstations 7.00-7.10 ftp://ftp.f-secure.com/support/hotfix/fsav/fsav741-02-signed.fsfix
F-Secure Anti-Virus for Windows Servers 5.52 ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsavsr552-14-signed.fsfix
F-Secure Anti-Virus for Windows Servers 7.00 ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsav720-03-signed.fsfix
F-Secure Anti-Virus for Citrix Servers 5.52 ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsavsr552-14-signed.fsfix
F-Secure Anti-Virus Linux Client Security 5.52 http://www.f- secure.com/webclub/fscsl.html
F-Secure Anti-Virus Linux Client Security 5.53 http://www.f- secure.com/webclub/fscsl.html
F-Secure Anti-Virus Linux Server Security 5.52 http://www.f- secure.com/webclub/fsssl.html
F-Secure Anti-Virus Linux Server Security 5.53 http://www.f- secure.com/webclub/fsssl.html
F-Secure Anti-Virus for Linux Gateways 4.65 http://www.f- secure.com/webclub/fsavgwl.html
F-Secure Anti-Virus for Linux Servers 4.65 http://www.f- secure.com/webclub/fsavsrvl.html
F-Secure Anti-Virus for Microsoft Exchange 6.62 ftp://ftp.f- secure.com/support/hotfix/fsav-mse/fsavmse662-04.zip
F-Secure Anti-Virus for Microsoft Exchange 7.00 ftp://ftp.f- secure.com/support/hotfix/fsav-mse/fsavmse700-01.zip
F-Secure Internet Gatekeeper 6.61 ftp://ftp.f-secure.com/support/hotfix/fsig/fsigk661-01.zip
F-Secure Internet Gatekeeper for Linux 2.16 http://www.f- secure.com/webclub/fsigkl.html
F-Secure Anti-Virus for MIMEsweeper 5.61 ftp://ftp.f-secure.com/support/hotfix/fsav-msw/fsavsr552-14-signed.fsfix
F-Secure Messaging Security Gateway 3.x Unsupported version. Please upgrade to the latest version.
F-Secure Messaging Security Gateway 4.0.6
4.0.7
Packages will be available in the update channel, and installed automatically.
Protection Services For Consumers 5 and 6 Packages will be available in the update channel, and installed automatically.
Protection Services For Businesses 3 Packages will be available in the update channel, and installed automatically.
F-Secure Internet Security 2006, 2007, 2007 Second Edition, 2008 Packages will be available in the update channel, and installed automatically.

Credits

F-Secure wants to thank Mr Thierry Zoller at n.runs AG for reporting these issues.

 

 

Date Issued: 2008-02-13
Last Updated: 2008-02-19

Get
Support

For documentation and product support,
visit our support site.

Learn More

F-Secure Community

Give advice. Get advice. Share the knowledge
on our free discussion forum.

Visit Now