F-Secure
Tools
Security Advisory FSC-2007-1
Buffer overflow vulnerability in handling of specially crafted LHA archives
| Date issued | 2007-05-30 |
|---|---|
| Last updated | 2007-05-29 |
| Risk factor | Critical (Low/Medium/High/Critical) |
| Brief description | Several F-Secure products have a buffer overflow vulnerability in processing LHA archives. This may allow an attacker to execute arbitrary code or to create a denial-of-service condition. This vulnerability is related to a similar vulnerability in GZIP program's handling of LZH-compressed archives. |
| Software | F-Secure's Anti-Virus products for Microsoft Windows and Linux |
| Affected versions | F-Secure Anti-Virus for Workstations version 5.44 and earlier F-Secure Anti-Virus for Windows Servers version 5.52 and earlier F-Secure Anti-Virus for Citrix Servers version 5.52 F-Secure Anti-Virus for MIMEsweeper version 5.61 and earlier F-Secure Anti-Virus Client Security version 6.03 and earlier F-Secure Anti-Virus for MS Exchange version 6.40 and earlier F-Secure Internet Gatekeeper version 6.60 and earlier F-Secure Internet Security 2005, 2006 and 2007 F-Secure Anti-Virus 2005, 2006 and 2007 Solutions based on F-Secure Protection Service for Consumers version 6.40 and earlier F-Secure Anti-Virus for Linux Servers version 4.65 and earlier F-Secure Anti-Virus for Linux Gateways version 4.65 and earlier F-Secure Anti-Virus Linux Client Security 5.30 and earlier F-Secure Anti-Virus Linux Server Security 5.30 and earlier F-Secure Internet Gatekeeper for Linux 2.16 and earlier |
| Affected platforms | All platforms supported by the affected products |
| Advisory location | http://www.f-secure.com/security/fsc-2007-1.shtml |
| Issue | An attacker may create a specially crafted LHA archive, which then in its decompression phase exploits the described buffer overflow vulnerability, allowing arbitrary code to be executed or the exploit to create a denial-of-service condition. US-Cert description of GZIP vulnerability: http://www.kb.cert.org/vuls/id/381508 |
| Products | F-Secure Internet Security 2005, 2006 and 2007 F-Secure Anti-Virus 2005, 2006 and 2007 Solutions based on F-Secure Protection Service for Consumers version 6.40 and earlier |
| Risk factor | High |
| These products contain the vulnerability but hotfixes are distributed automatically by the delivery system. Users of these products do not need to take any action. This means that virtually all affected systems in this category will be patched automatically shortly after publication of this advisory. | |
| Products | F-Secure Anti-Virus for Workstations 5.44 and earlier F-Secure Anti-Virus Linux Client Security 5.30 and earlier |
| Risk factor | High |
| These products contain the vulnerability but successful exploration requires the user to scan the exploit with archive scanning enabled. This can happen for example during on-demand scanning or if the on-access scanner's settings have been changed. The on-access scanner is not vulnerable in its default configuration. F-Secure recommends all users of these products to install the hotfix or upgrade to a version that is not affected (if available). |
|
| Products | F-Secure Anti-Virus Client Security version 6.03 and earlier |
| Risk factor | High |
| These products contain the vulnerability but successful exploration requires the user to scan the exploit with archive scanning enabled. This can happen for example during on-demand scanning or if the on-access scanner's settings have been changed. The on-access scanner is not vulnerable in its default configuration. F-Secure recommends all users of these products to install the hotfix or upgrade to a version that is not affected (if available). |
|
| Server and gateway products | F-Secure Anti-Virus for Windows Servers 5.52 and earlier F-Secure Anti-Virus for Citrix Servers version 5.52 and earlier F-Secure Internet Gatekeeper 6.60 and earlier F-Secure Anti-Virus for MS Exchange version 6.40 and earlier F-Secure Anti-Virus Linux Server Security 5.30 and earlier F-Secure Anti-Virus for Linux Servers version 4.65 and earlier F-Secure Anti-Virus for Linux Gateways version 4.65 and earlier F-Secure Internet Gatekeeper for Linux 2.16 |
| Risk factor | Critical |
| Gateway installations that scan web (HTTP, FTP) and mail (SMTP, POP) traffic are vulnerable. These machines are typically scanning a large number of archive files with the scan inside archives setting enabled. Server products that are configured to use scheduled on-demand scans are also likely to be vulnerable. This makes products in this category the most likely target for attacks. F-Secure recommends all users of the mentioned gateway and server products to install the hotfix or upgrade to a version that is not affected (if available). |
|
| Products | F-Secure Anti-Virus for MIMEsweeper 5.61 and earlier |
| Risk factor | Critical |
| This product is vulnerable but the Clearswift MIMEsweeper product performs the archive handling under normal circumstances. The vulnerability can however be exploited if the product is used to scan the local system or if MIMEsweeper fails to recognize an archive correctly and passes it on to the F-Secure scanner. F-Secure recommends users to apply the hotfix or upgrade to a later version (if available). |
|
| Mitigating factors |
|
Available patches:
| Product | Versions | Hotfix ID | Download |
|---|---|---|---|
| F-Secure Internet Security 2005 - 2007 | 2005 - 2007 | - | Hotfix distributed automatically, no user actions needed. |
| F-Secure Anti-Virus 2005 - 2007 | 2005 - 2007 | - | Hotfix distributed automatically, no user actions needed. |
| F-Secure Protection Service for Consumers | 5.00 - 6.40 | - | Hotfix distributed automatically, no user actions needed. |
| F-Secure Anti-Virus for Workstations | 5.44 | fsavwk602-04 | ftp://ftp.f-secure.com/support/hotfix/fsavcs/fsavwk602-04-signed.fsfix |
| F-Secure Anti-Virus Client Security | 6.00 - 6.03 | fsavwk602-04 | ftp://ftp.f-secure.com/support/hotfix/fsavcs/fsavwk602-04-signed.fsfix |
| F-Secure Anti-Virus for Windows Servers | 5.50 - 5.52 | fsavsr552-11 | ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsavsr552-11-signed.fsfix |
| F-Secure Anti-Virus for Citrix Servers | 5.50 - 5.52 | fsavsr552-11 | ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsavsr552-11-signed.fsfix |
| F-Secure Anti-Virus for MIMEsweeper | 5.61 | fsavsr552-11 | ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsavsr552-11-signed.fsfix |
| F-Secure Anti-Virus for MS Exchange 6.01 | 6.01 | fscss631-08 | ftp://ftp.f-secure.com/support/hotfix/fsav-mse/fscss631-08.zip |
| F-Secure Anti-Virus for MS Exchange 6.40 | 6.40 | Upgrade to latest version | http://www.f-secure.com/webclub/fsavmse6.html |
| F-Secure Internet Gatekeeper | 6.60 | fsigk660-03 | ftp://ftp.f-secure.com/support/hotfix/fsig/fsigk660-03.zip |
| F-Secure Anti-Virus for Linux Servers | 4.64 - 4.65 | New product build | http://www.f-secure.com/webclub/fsavsrvl.html |
| F-Secure Anti-Virus for Linux Gateways | 4.64 - 4.65 | New product build | http://www.f-secure.com/webclub/fsavgwl.html |
| F-Secure Linux Client Security | 5.30 | Upgrade to latest version | http://www.f-secure.com/webclub/fscsl.html |
| F-Secure Anti-Virus Linux Server Security | 5.30 | Upgrade to latest version | http://www.f-secure.com/webclub/fsssl.html |
| F-Secure Internet Gatekeeper for Linux | 2.16 | New product build | http://www.f-secure.com/webclub/fsigkl.html |
| Credits | F-Secure wants to thank Tavis Ormandy in Google Security Team as original founder of this issue and Sergio Alvarez in n.runs AG for pinpointing another exploitation vector. |
|---|---|
| Revision history | FSC-2007-1 / 2007-05-30 |
Contact information:
Support: http://www.f-secure.com/en_EMEA/support/