| Date issued |
2004-11-23 |
| Risk factor |
Medium (Low/Medium/High/Critical) |
| Brief description |
ZIP archives crafted in a special way may fool the scanner to terminate scanning and possible leave undetected malware in the archive. |
| CVE Information |
|
| Software |
F-Secure's antivirus products |
| Affected versions |
F-Secure Anti-Virus for Workstation version 5.43 and earlier
F-Secure Anti-Virus for Windows Servers version 5.50 and earlier
F-Secure Anti-Virus for MIMEsweeper version 5.50 and earlier
F-Secure Anti-Virus Client Security version 5.55 and earlier
F-Secure Anti-Virus for MS Exchange version 6.31 and earlier
F-Secure Anti-Virus for MS Exchange version 6.01 and earlier
F-Secure Internet Gatekeeper version 6.41 and earlier
F-Secure Anti-Virus for Firewalls version 6.20 and earlier
F-Secure Internet Security 2004 and 2005
F-Secure Anti-Virus 2004 and 2005
Solutions based on F-Secure Personal Express version 5.00 and earlier
F-Secure Anti-Virus for Linux Workstations version 4.52 and earlier
F-Secure Anti-Virus for Linux Servers version 4.61 and earlier
F-Secure Anti-Virus for Linux Gateways version 4.61 and earlier
F-Secure Anti-Virus for Samba Servers version 4.60
F-Secure Anti-Virus Linux Client Security 5.00
F-Secure Anti-Virus Linux Server Security 5.00
F-Secure Internet Gatekeeper for Linux 2.06 and earlier
|
| Affected platforms |
All platforms supported by the affected products |
| Bulletin location |
http://www.f-secure.com/security/fsc-2004-3.shtml |
 |
| Issue: |
It is possible to create specially crafted ZIP archives that fool the scanner to believe that the archive is of zero length. This will cause the scanner to stop scanning the archive and pass it through even if it may contain malware. This may lead to failure to detect malware inside the ZIP archive. This vulnerability does not affect the product's ability to detect malware when it is extracted from the archive. Note that a severity class has been assigned to each product family separately as the possible impact of this vulnerability varies.
|
| Products: |
F-Secure Internet Security 2004 and 2005
F-Secure Anti-Virus 2004 and 2005
Solutions based on F-Secure Personal Express version 5.00 and earlier
|
| Risk Factor: |
Low
These products contain the vulnerability but hotfixes are distributed automatically by the delivery system. Users of these products do not need to take any actions.
|
| Products: |
F-Secure Anti-Virus for Workstations 5.43 and earlier
F-Secure Anti-Virus for Windows Servers 5.50 and earlier
F-Secure Anti-Virus for Linux Workstations version 4.52 and earlier
F-Secure Anti-Virus for Linux Servers version 4.61 and earlier
F-Secure Anti-Virus for Samba Servers 4.60
F-Secure Anti-Virus Linux Client Security 5.00
|
| Risk Factor: |
Low
These products contain the vulnerability but the affected feature is typically not critical for the security of the system. The impact is minimal in the default configuration. The product is still capable of detecting the malware in extracted files before they are executed.
The schedule for providing a fix has not been defined yet for these products. Hotfixes will not be made for F-Secure Anti-Virus Linux Client Security and Server Security. The next service release, 5.01, of these products will contain the fix.
|
| Products: |
F-Secure Anti-Virus for MIMEsweeper 5.50 and earlier
|
| Risk Factor: |
Low
F-Secure Anti-Virus for MIMEsweeper does not handle ZIP archives. Archives are handled by MIMEsweeper and this vulnerability does not affect the reliability of such systems. The vulnerability does however affect the virus scanner's ability to detect malware that is stored in archives on the disk of the computer that runs MIMEsweeper. The impact of this is however minimal in the default configuration.
The schedule for providing a fix has not been defined yet for this product.
|
| Products: |
F-Secure Anti-Virus Client Security version 5.55 and earlier
|
| Risk Factor: |
Medium
The e-mail scanning module may pass infected attachments through and allow them to be stored in the system or sent to other users. The system itself is however protected as malware will be detected in extracted files prior to execution. Applying a hotfix solves the problem.
F-Secure recommends users of this product to apply the hotfix.
|
| Products: |
F-Secure Internet Gatekeeper 6.41 and earlier
F-Secure Anti-Virus for Firewalls 6.20 and earlier
F-Secure Anti-Virus for MS Exchange version 6.31 and earlier
F-Secure Anti-Virus for MS Exchange version 6.01 and earlier
F-Secure Anti-Virus for Linux Gateways version 4.61 and earlier
F-Secure Internet Gatekeeper for Linux 2.06 and earlier
|
| Risk Factor: |
Medium
The vulnerability may cause these gateway products to pass an infected attachment or downloaded file through to end-users. Antivirus software on the client systems will catch these attachments in most environments. But the failure in the gateway may still lead to infections on unprotected clients or undetected malware in outbound traffic. Applying an appropriate hotfix solves the problem.
F-Secure recommends users of these gateway products to apply the appropriate hotfix.
|
| Mitigating Factors: |
- This vulnerability is typically significant only in systems that scan e-mail traffic. These systems handle archives without extracting them and it is important to be able to scan the archive contents reliably. Clients need to extract files before a virus can activate and this vulnerability does not affect scanning of extracted files.
|
| Patch Availability: |
|
|
| Contact Information: |
Support: http://support.f-secure.com/enu/home/contactus/
Security: http://www.f-secure.com/security/
|
