| Date issued |
2004-09-09 |
| Risk factor |
Low (Low/Medium/High/Critical) |
| Brief description |
Certain malformed packets cause a possible denial of service condition by causing an unhandled exception thus crashing a process in F-Secure Content Scanner Server. The process is automatically restarted by a "watchdog" service. Upgrading to the latest version of the products or applying a hotfix solves the problem. |
| CVE Information |
CAN-2004-0830 |
| Affected software |
F-Secure Anti-Virus for Microsoft Exchange
F-Secure Internet Gatekeeper |
| Affected versions |
F-Secure Anti-Virus for Microsoft Exchange 6.21 and earlier
F-Secure Anti-Virus for Microsoft Exchange 6.01 and earlier
F-Secure Internet Gatekeeper 6.32 and earlier
|
| Affected platforms |
All platforms supported by the affected products |
| Bulletin location |
http://www.F-Secure.com/security/fsc-2004-2.shtml |
 |
| Issue: |
Certain malformed packets cause a possible denial of service condition by causing an unhandled exception thus crashing a process in F-Secure Content Scanner Server. The process is automatically restarted by a "watchdog" service. Upgrading to the latest version of the products or applying a hotfix solves the problem.
|
| Workaround: |
Products can be configured in a way that only allowed connections are accepted by the F-Secure Content Scanner Server. This is achieved by configuring F-Secure Content Scanner Server to accept connections only from known IP addresses.
- In F-Secure Policy Manager Console, go to F-Secure Content Scanner Server>Settings>Interface and in the "Accept Connections" setting Server>Settings>specify
the comma-separate list of IP addresses the server will accept requests from.
- In local user interface, the similar setting can be found at the Interface tab page under the Server/Interface category.
When products are deployed so that also F-Secure Content Scanner Server resides in the same host with the F-Secure Anti-Virus Agent, local mode interaction is used and only 127.0.0.1 (localhost) needs to be defined in the allowed connections table.
|
| Products: |
F-Secure Anti-Virus for Microsoft Exchange 6.21
F-Secure Internet Gatekeeper 6.32
|
| Risk Factor: |
Low These products contain the vulnerability but upgrading to the latest released versions will solve the issue. Also, a hotfix is available.
F-Secure recommends upgrading to the latest released versions of the products: F-Secure Anti-Virus for Microsoft Exchange 6.30 and F-Secure Internet Gatekeeper 6.40.
|
| Products: |
F-Secure Anti-Virus for Microsoft Exchange 6.20 and earlier
F-Secure Internet Gatekeeper 6.31 and earlier
|
| Risk Factor: |
Low
These products contain the vulnerability but upgrading to the latest released versions will solve the issue.
F-Secure recommends upgrading to the latest released versions of the products: F-Secure Anti-Virus for Microsoft Exchange 6.30 and F-Secure Internet Gatekeeper 6.40.
|
| Products: |
F-Secure Anti-Virus for MS Exchange 6.01
|
| Risk Factor: |
Low
This product contains the vulnerability but applying the hotfix will solve the issue.
|
| Mitigating Factors: |
- The latest released versions, F-Secure Anti-Virus for Microsoft Exchange 6.30 and F-Secure Internet Gatekeeper 6.40 are not affected by this vulnerability.
- This is not considered a major issue because the products are installed in the company internal network or at least in DMZ so the port should not be exposed to the public Internet.
- Products can be configured to make it very hard to exploit this vulnerability. See workaround.
- Products are usually deployed so that also F-Secure Content Scanner Server resides in the same host with the F-Secure Anti-Virus Agent. In this case, local mode interaction is used and only 127.0.0.1 (localhost) needs to be defined in the allowed connections table.
|
| Patch Availability: |
|
|
| Contact Information: |
Support: http://support.f-secure.com/enu/home/contactus/
Security: http://www.f-secure.com/security/
|
| Credit: | We thank iDEFENSE for bringing this issue to our attention.
http://www.idefense.com
|
![](/images/pixel.gif"){kind=tracking}
