F-Secure
Tools
Security Advisory FSC-2007-2
IOCTL vulnerability in Real-time Scanning component of F-Secure workstation and file server products for Windows
| Date issued | 2007-05-30 |
|---|---|
| Last updated | 2007-05-29 |
| Risk factor | Medium (Low/Medium/High/Critical) |
| Brief description | IOCTL (Input/Output Control) vulnerability in Real-time Scanning component may allow an attacker to gain elevated privileges to the system. |
| Software | F-Secure's Anti-Virus products for Microsoft Windows and Linux |
| Affected versions | F-Secure Anti-Virus for Workstation version 5.44 and earlier F-Secure Anti-Virus for Windows Servers version 5.52 and earlier F-Secure Anti-Virus for Citrix Servers version 5.52 and earlier F-Secure Anti-Virus for MIMEsweeper version 5.61 and earlier F-Secure Anti-Virus Client Security version 6.03 and earlier F-Secure Internet Security 2005, 2006 and 2007 F-Secure Anti-Virus 2005, 2006 and 2007 Solutions based on F-Secure Protection Service for Consumers version 6.40 and earlier |
| Affected platforms | All platforms supported by the affected products |
| Advisory location | http://www.f-secure.com/security/fsc-2007-2.shtml |
| Issue | An attacker with local access to the system may gain elevated privileges to the system via specially crafted IRP (I/O request packet). This privilege escalation becomes possible due to improper access validation of the address space used by Real-time Scanning. |
| Products | F-Secure Internet Security 2005, 2006 and 2007 F-Secure Anti-Virus 2005, 2006 and 2007 Solutions based on F-Secure Protection Service for Consumers version 6.40 and earlier |
| Risk factor | Medium |
| These products contain the vulnerability but hotfixes are distributed automatically by the delivery system. Users of these products do not need to take any action. This means that virtually all affected systems in this category will be patched automatically shortly after publication of this advisory. | |
| Products | F-Secure Anti-Virus for Workstations 5.44 and earlier |
| Risk factor | Medium |
| Real-time Scanning (on-access scanning) is by default enabled in these products, making these products vulnerable to this IOCTL vulnerability. F-Secure recommends all users of these products to install the hotfix or upgrade to a version that is not affected (if available). |
|
| Products | F-Secure Anti-Virus Client Security version 6.03 and earlier |
| Risk factor | Medium |
| Real-time Scanning (on-access scanning) is by default enabled in these products, making these products vulnerable to this IOCTL vulnerability. F-Secure recommends all users of these products to install the hotfix or upgrade to a version that is not affected (if available). |
|
| File server products | F-Secure Anti-Virus for Windows Servers 5.52 and earlier F-Secure Anti-Virus for Citrix Servers version 5.52 |
| Risk factor | Medium |
| Real-time Scanning (on-access scanning) is by default enabled in these products, making these products vulnerable to this IOCTL vulnerability. F-Secure recommends all users of these products to install the hotfix or upgrade to a version that is not affected (if available). |
|
| Products | F-Secure Anti-Virus for MIMEsweeper 5.61 and earlier |
| Risk factor | Low |
| These systems are affected by the vulnerability but their main task is typically to filter mail traffic. The vulnerability only affects local use of the computer and the risk for infection is thus significantly lower. F-Secure recommends all users of the mentioned gateway and server products to install the hotfix or upgrade to a version that is not affected (if available). |
|
| Mitigating factors |
|
Available patches:
| Product | Versions | Hotfix ID | Download |
|---|---|---|---|
| F-Secure Internet Security 2005 - 2007 | 2005 - 2007 | - | Hotfix distributed automatically, no user actions needed. |
| F-Secure Anti-Virus 2005 - 2007 | 2005 - 2007 | - | Hotfix distributed automatically, no user actions needed. |
| F-Secure Protection Service for Consumers | 5.00 - 6.40 | - | Hotfix distributed automatically, no user actions needed. |
| F-Secure Anti-Virus for Workstations | 5.44 | fsavwk602-04 | ftp://ftp.f-secure.com/support/hotfix/fsavcs/fsavwk602-04-signed.fsfix |
| F-Secure Anti-Virus Client Security | 6.00 - 6.03 | fsavwk602-04 | ftp://ftp.f-secure.com/support/hotfix/fsavcs/fsavwk602-04-signed.fsfix |
| F-Secure Anti-Virus for Windows Servers | 5.50 - 5.52 | fsavsr552-11 | ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsavsr552-11-signed.fsfix |
| F-Secure Anti-Virus for Citrix Servers | 5.50 - 5.52 | fsavsr552-11 | ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsavsr552-11-signed.fsfix |
| F-Secure Anti-Virus for MIMEsweeper | 5.61 | fsavsr552-11 | ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsavsr552-11-signed.fsfix |
| Credits | This vulnerability was found in an internal security audit, performed by F-Secure R&D. |
|---|---|
| Revision history | FSC-2007-2 / 2007-05-30 |
Contact information:
Support: http://www.f-secure.com/en_EMEA/support/