FSC-2013-1: Remote code execution vulnerability in DLL component
Brief Description
A vulnerability in a legacy DLL component related to ActiveX control, in certain F-Secure’s server products, allows arbitrary connections to be made to the ODBC drivers when using the Internet Explorer (IE) web browser. If the local server is running using local authentication, an attacker may be able to execute arbitrary SQL statements.
Affected Platforms
• All supported platforms
Products
Risk Level: HIGH (Low/Medium/High/Critical)
• F-Secure Anti-Virus for Microsoft Exchange Server 9.00 - 9.10
• F-Secure Anti-Virus for Windows Servers 9.00
• F-Secure Anti-Virus for Citrix Servers 9.00
• F-Secure Email and Server Security 9.20
• F-Secure Server Security 9.20
• Solutions based on F-Secure Protection Service for Business Email and Server Security 9.20
• Solutions based on F-Secure Protection Service for Business Server Security 9.20
Mitigating Factors
Exploiting the vulnerability requires use of the IE web browser. On Windows Server 2003 servers, the “IE Enhanced Security Configuration” option (which is enabled by default) must also be disabled. The local server must run with local authentication in order for the attacker to run arbitrary SQL statements. No attacks have been reported in the wild.
Credit
F-Secure Corporation wants to thank Andrea Micalizzi (aka rgod) and HP’s Zero Day Initiative (ZDI) for reporting the issue.
Fix Available
Date Issued: 2013-04-24
Last Updated: 2013-04-24