FSC-2013-1: Remote code execution vulnerability in DLL component
A vulnerability in a legacy DLL component related to ActiveX control, in certain F-Secure’s server products, allows arbitrary connections to be made to the ODBC drivers when using the Internet Explorer (IE) web browser. If the local server is running using local authentication, an attacker may be able to execute arbitrary SQL statements.
• All supported platforms
Risk Level: HIGH (Low/Medium/High/Critical)
• F-Secure Anti-Virus for Microsoft Exchange Server 9.00 - 9.10
• F-Secure Anti-Virus for Windows Servers 9.00
• F-Secure Anti-Virus for Citrix Servers 9.00
• F-Secure Email and Server Security 9.20
• F-Secure Server Security 9.20
• Solutions based on F-Secure Protection Service for Business Email and Server Security 9.20
• Solutions based on F-Secure Protection Service for Business Server Security 9.20
Exploiting the vulnerability requires use of the IE web browser. On Windows Server 2003 servers, the “IE Enhanced Security Configuration” option (which is enabled by default) must also be disabled. The local server must run with local authentication in order for the attacker to run arbitrary SQL statements. No attacks have been reported in the wild.
F-Secure Corporation wants to thank Andrea Micalizzi (aka rgod) and HP’s Zero Day Initiative (ZDI) for reporting the issue.
Date Issued: 2013-04-24
Last Updated: 2013-04-24