| Date issued |
2005-02-10 |
| Risk factor |
Critical (Low/Medium/High/Critical) |
| Brief description |
Specially crafted ARJ packages may be used to execute code on affected systems. |
| Software |
F-Secure's antivirus products |
| Affected versions |
F-Secure Anti-Virus for Workstation version 5.43 and earlier
F-Secure Anti-Virus for Windows Servers version 5.50 and earlier
F-Secure Anti-Virus for Citrix Servers version 5.50
F-Secure Anti-Virus for MIMEsweeper version 5.51 and earlier
F-Secure Anti-Virus Client Security version 5.55 and earlier
F-Secure Anti-Virus for MS Exchange version 6.31 and earlier
F-Secure Internet Gatekeeper version 6.41 and earlier
F-Secure Anti-Virus for Firewalls version 6.20 and earlier
F-Secure Internet Security 2004 and 2005
F-Secure Anti-Virus 2004 and 2005
Solutions based on F-Secure Personal Express version 5.10 and earlier
F-Secure Anti-Virus for Linux Workstations version 4.52 and earlier
F-Secure Anti-Virus for Linux Servers version 4.61 and earlier
F-Secure Anti-Virus for Linux Gateways version 4.61 and earlier
F-Secure Anti-Virus for Samba Servers version 4.60
F-Secure Anti-Virus Linux Client Security 5.01 and earlier
F-Secure Anti-Virus Linux Server Security 5.01 and earlier
F-Secure Internet Gatekeeper for Linux 2.06
|
| Affected platforms |
All platforms supported by the affected products |
| Bulletin location |
http://www.f-secure.com/security/fsc-2005-1.shtml |
 |
| Issue: |
It is possible to create specially crafted ARJ archives that cause a buffer overflow. This allows an attacker to execute code of his choice on the target system. Note that a severity class has been assigned to each product family separately as the risk for successful exploitation of this vulnerability varies.
|
| Products: |
F-Secure Internet Security 2004 and 2005
F-Secure Anti-Virus 2004 and 2005
Solutions based on F-Secure Personal Express version 5.10 and earlier
|
| Risk Factor: |
High
These products contain the vulnerability but hotfixes are distributed automatically by the delivery system. Users of these products do not need to take any actions. This means that virtually all affected systems in this category will be patched shortly after publication of this advisory. The mitigation factor mentioned below also lowers the severity in this category.
|
| Products: |
F-Secure Anti-Virus for Workstations 5.43 and earlier
F-Secure Anti-Virus for Linux Workstations version 4.52 and earlier
F-Secure Anti-Virus Linux Client Security 5.01 and earlier
|
| Risk Factor: |
High
These products contain the vulnerability but successful exploration requires the user to scan the exploit with archive scanning enabled. This can happen for example during on-demand scanning or if the on-access scanner's settings have been changed. The on-access scanner is not vulnerable in its default configuration.
F-Secure recommends all users of these products to install the hotfix or upgrade to a version that isn't affected (if available).
|
| Products: |
F-Secure Anti-Virus Client Security version 5.55 and earlier
|
| Risk Factor: |
High
This product contains e-mail scanning functionality. This module is vulnerable in its default configuration. This fact makes it more likely that an attack against this product succeeds compared to other affected client products. The on-access scanner in this product is not vulnerable in its default configuration.
F-Secure recommends all users of these products to install the hotfix or upgrade to a version that isn't affected (if available).
|
| Products: |
Server and gateway products:
F-Secure Anti-Virus for Windows Servers 5.50 and earlier
F-Secure Anti-Virus for MIMEsweeper 5.51 and earlier
F-Secure Internet Gatekeeper 6.41 and earlier
F-Secure Anti-Virus for Firewalls 6.20 and earlier
F-Secure Anti-Virus for MS Exchange version 6.31 and earlier
F-Secure Anti-Virus Linux Server Security 5.01 and earlier
F-Secure Anti-Virus for Linux Servers version 4.61 and earlier
F-Secure Anti-Virus for Linux Gateways version 4.61 and earlier
F-Secure Anti-Virus for Samba Servers 4.60
F-Secure Internet Gatekeeper for Linux 2.06
|
| Risk Factor: |
Critical
Gateway installations that scan web (HTTP, FTP) and mail (SMTP, POP) traffic are vulnerable. These machines are typically scanning a large number of archive files with the scan inside archives setting enabled. Server products that are configured to use scheduled on-demand scans are also likely to be vulnerable. This makes products in this category the most likely target for attacks.
F-Secure recommends all users of the mentioned gateway and server products to install the hotfix as soon as possible or upgrade to a version that isn't affected (if available).
|
| Mitigating Factors: |
- The vulnerability requires that the exploit is scanned with archive scanning enabled. This is typically the case in gateway environments and scheduled scans on servers. On-access scanning does not scan inside archives in a typical configuration. This makes successful exploration of the vulnerability less likely in client environments.
|
| Patch Availability: |
|
|
| Credits: |
F-Secure Corporation thanks Alex Wheeler of ISS X-Force for bringing this issue to our attention.
http://xforce.iss.net/xforce/alerts/id/188
|
| Revision History: |
FSC-2005-1 - 2005-02-10
|
| Contact Information: |
Support: http://support.f-secure.com/enu/home/contactus/
Security: http://www.f-secure.com/security/
|
![](/images/pixel.gif"){kind=tracking}
