F-Secure
Tools
Security Advisory FSC-2006-1
Code execution vulnerability in ZIP and RAR archive handling
| Date issued | 2006-01-19 |
|---|---|
| Last updated | 2006-01-28 |
| Risk factor | Critical (Low/Medium/High/Critical) |
| Brief description | Specially crafted ZIP archives may be used to execute code on affected systems. Both RAR- and ZIP-archives can in addition be crafted to avoid successful scanning and obfuscate malicious code in the archive. |
| Software | F-Secure's Anti-Virus products for Microsoft Windows and Linux |
| Affected versions | F-Secure Anti-Virus for Workstation version 5.44 and earlier F-Secure Anti-Virus for Windows Servers version 5.52 and earlier F-Secure Anti-Virus for Citrix Servers version 5.52 F-Secure Anti-Virus for MIMEsweeper version 5.61 and earlier F-Secure Anti-Virus Client Security version 6.01 and earlier F-Secure Anti-Virus for MS Exchange version 6.40 and earlier F-Secure Internet Gatekeeper version 6.42 and earlier F-Secure Anti-Virus for Firewalls version 6.20 and earlier F-Secure Internet Security 2004, 2005 and 2006 F-Secure Anti-Virus 2004, 2005 and 2006 Solutions based on F-Secure Personal Express version 6.20 and earlier F-Secure Anti-Virus for Linux Workstations version 4.52 and earlier F-Secure Anti-Virus for Linux Servers version 4.64 and earlier F-Secure Anti-Virus for Linux Gateways version 4.64 and earlier F-Secure Anti-Virus for Samba Servers version 4.62 F-Secure Anti-Virus Linux Client Security 5.11 and earlier F-Secure Anti-Virus Linux Server Security 5.11 and earlier F-Secure Internet Gatekeeper for Linux 2.14 and earlier |
| Affected platforms | All platforms supported by the affected products |
| Advisory location | http://www.f-secure.com/security/fsc-2006-1.shtml |
| Issue | It is possible to create specially crafted ZIP archives that cause a buffer overflow. This allows an attacker to execute code of his choice on affected systems. It is in addition possible to create malformed RAR- and ZIP-archives that cannot be scanned properly. This can lead to a false negative scan result. |
| Products | F-Secure Internet Security 2004, 2005 and 2006 F-Secure Anti-Virus 2004, 2005 and 2006 Solutions based on F-Secure Personal Express version 6.20 and earlier |
| Risk factor | Critical |
| These products contain the vulnerability but hotfixes are distributed automatically by the delivery system. Users of these products do not need to take any action. This means that virtually all affected systems in this category will be patched automatically shortly after publication of this advisory. | |
| Products | F-Secure Anti-Virus for Workstations 5.44 and earlier F-Secure Anti-Virus for Linux Workstations version 4.52 and earlier F-Secure Anti-Virus Linux Client Security 5.11 and earlier |
| Risk factor | Critical |
| These products contain the vulnerability but successful exploration requires the user to scan the exploit with archive scanning enabled. This can happen for example during on-demand scanning or if the on-access scanner's settings have been changed. The on-access scanner is not vulnerable in its default configuration. F-Secure recommends all users of these products to install the hotfix or upgrade to a version that is not affected (if available). |
|
| Products | F-Secure Anti-Virus Client Security version 6.01 and earlier |
| Risk factor | Critical |
| This product contains e-mail scanning functionality. This module is vulnerable in its default configuration. This fact makes it more likely that an attack against this product will succeed compared to other affected client products. The on-access scanner in this product is not vulnerable in its default configuration. F-Secure recommends all users of these products to install the hotfix or upgrade to a version that is not affected (if available). |
|
| Products | Server and gateway products: F-Secure Anti-Virus for Windows Servers 5.52 and earlier F-Secure Internet Gatekeeper 6.42 and earlier F-Secure Anti-Virus for Firewalls 6.20 and earlier F-Secure Anti-Virus for MS Exchange version 6.40 and earlier F-Secure Anti-Virus Linux Server Security 5.11 and earlier F-Secure Anti-Virus for Linux Servers version 4.64 and earlier F-Secure Anti-Virus for Linux Gateways version 4.64 and earlier F-Secure Anti-Virus for Samba Servers 4.62 F-Secure Internet Gatekeeper for Linux 2.14 |
| Risk factor | Critical |
| Gateway installations that scan web (HTTP, FTP) and mail (SMTP, POP) traffic are vulnerable. These machines are typically scanning a large number of archive files with the scan inside archives setting enabled. Server products that are configured to use scheduled on-demand scans are also likely to be vulnerable. This makes products in this category the most likely target for attacks. F-Secure recommends all users of the mentioned gateway and server products to install the hotfix or upgrade to a version that is not affected (if available). |
|
| Products | F-Secure Anti-Virus for MIMEsweeper 5.61 and earlier |
| Risk factor | Critical |
| This product is vulnerable but the Clearswift MIMEsweeper product performs the archive handling under normal circumstances. The vulnerability can however be exploited if the product is used to scan the local system or if MIMEsweeper fails to recognize an archive correctly and passes it on to the F-Secure scanner. F-Secure recommends users to apply the hotfix or upgrade to a later version (if available). |
|
| Mitigating factors |
|
Available patches and upgrades:
| Product | Versions | Hotfix ID | Download |
|---|---|---|---|
| F-Secure Internet Security 2004 - 2006 | Hotfix distributed automatically. | ||
| F-Secure Anti-Virus 2004 - 2006 | Hotfix distributed automatically. | ||
| F-Secure Personal Express | 6.20 and earlier | Hotfix distributed automatically. | |
| F-Secure Anti-Virus for Workstations | 5.42 - 5.44 | fsavwk620-02 | ftp://ftp.f-secure.com/support/hotfix/fsavcs/fsavwk620-02-signed.fsfix |
| F-Secure Anti-Virus Client Security version | 5.54 - 6.01 | fsavwk620-02 | ftp://ftp.f-secure.com/support/hotfix/fsavcs/fsavwk620-02-signed.fsfix |
| F-Secure Anti-Virus for Windows Servers | 5.42 - 5.52 | fsavsr552-05 | ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsavsr552-05-signed.fsfix |
| F-Secure Anti-Virus for Citrix Servers | 5.50 - 5.52 | fsavsr552-05 | ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsavsr552-05-signed.fsfix |
| F-Secure Anti-Virus for MIMEsweeper | 5.42 - 5.61 | fsavsr552-05 | ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsavsr552-05-signed.fsfix |
| F-Secure Anti-Virus for MS Exchange | 6.01 | fscss631-07 | ftp://ftp.f-secure.com/support/hotfix/fsav-mse/fscss631-07.zip |
| F-Secure Anti-Virus for MS Exchange | 6.40 | fsavmse640-03 | ftp://ftp.f-secure.com/support/hotfix/fsav-mse/fsavmse640-03.zip |
| F-Secure Internet Gatekeeper | 6.42 | fsigk642-02 | ftp://ftp.f-secure.com/support/hotfix/fsig/fsigk642-02.zip |
| F-Secure Anti-Virus for Linux Servers | 4.63-4.64 | Updated binary | ftp://ftp.f-secure.com/support/hotfix/fsav-linux/fsav-fsigk-linux-FSC-2006-1-hotfix.tgz |
| F-Secure Anti-Virus for Linux Gateways | 4.63-4.64 | Updated binary | ftp://ftp.f-secure.com/support/hotfix/fsav-linux/fsav-fsigk-linux-FSC-2006-1-hotfix.tgz |
| F-Secure Anti-Virus for Samba Servers | 4.62 | Updated binary | ftp://ftp.f-secure.com/support/hotfix/fsav-linux/fsav-fsigk-linux-FSC-2006-1-hotfix.tgz |
| F-Secure Anti-Virus Linux Client Security | 5.00 - 5.04 | Updated binary | ftp://ftp.f-secure.com/support/hotfix/fsav-linux/fsav-fsigk-linux-FSC-2006-1-hotfix.tgz |
| F-Secure Anti-Virus Linux Client Security | 5.10 - 5.11 | Updated binary | ftp://ftp.f-secure.com/support/hotfix/fsav-linux/fsav-fsigk-linux-FSC-2006-1-hotfix.tgz |
| F-Secure Anti-Virus Linux Server Security | 5.00 - 5.04 | Updated binary | ftp://ftp.f-secure.com/support/hotfix/fsav-linux/fsav-fsigk-linux-FSC-2006-1-hotfix.tgz |
| F-Secure Anti-Virus Linux Server Security | 5.10 - 5.11 | Updated binary | ftp://ftp.f-secure.com/support/hotfix/fsav-linux/fsav-fsigk-linux-FSC-2006-1-hotfix.tgz |
| F-Secure Internet Gatekeeper for Linux | 2.10 - 2.14 | Updated binary | ftp://ftp.f-secure.com/support/hotfix/fsav-linux/fsav-fsigk-linux-FSC-2006-1-hotfix.tgz |
| Credits | F-Secure Corporation thanks Thierry Zoller (http://www.zoller.lu) for bringing this issue to our attention. |
|---|---|
| Revision history | FSC-2006-1 / 2006-01-19 FSC-2006-1.1 / 2006-06-28 (hotfix references updated) |
Contact information:
Support: http://www.f-secure.com/en_EMEA/support/