| Date issued |
2005-11-02 |
| Risk factor |
Low/Medium (Low/Medium/High/Critical) |
| Brief description |
A limited directory traversal vulnerability can be exploited by bypassing the Web Console authentication. It is possible to gain a read access to a file on the local disk from allowed hosts. By default the connections are only allowed from the local host.
To solve the problem apply the appropriate hotfix.
|
| Software |
F-Secure Anti-Virus for Microsoft Exchange and F-Secure Internet Gatekeeper |
| Affected versions |
F-Secure Anti-Virus for Microsoft Exchange 6.40
F-Secure Internet Gatekeeper 6.42, 6.41, 6.40
|
| Affected platforms |
All platforms supported by the affected products |
| Bulletin location |
http://www.f-secure.com/security/fsc-2005-2.shtml |
 |
| Issue: |
A limited directory traversal vulnerability can be exploited by bypassing the Web Console authentication. It is possible to gain a read access to a file on the local disk from allowed hosts. By default the connections are only allowed from the local host.
To solve the problem apply the appropriate hotfix.
|
| Products: |
F-Secure Anti-Virus for Microsoft Exchange 6.40
F-Secure Internet Gatekeeper 6.42
|
| Scenario 1: |
Default configuration. Web Console is configured by default to accept connections only from the local host.
|
| Risk Factor: |
Low
There is a possibility to exploit the limited directory traversal vulnerability from the local host.
To solve the problem apply the appropriate hotfix.
|
| Scenario 2: |
If Web Console is configured to allow connections from specific/trusted hosts.
|
| Risk Factor: |
Low
There is a possibility to exploit the limited directory traversal vulnerability from those hosts that the connections are allowed from.
To solve the problem apply the appropriate hotfix.
|
| Scenario 3: |
If the Web Console is configured to allow connections from all hosts.
|
| Risk Factor: |
Medium
There is a possibility to exploit the limited directory traversal vulnerability from all hosts.
To solve the problem apply the appropriate hotfix.
|
| Products: |
F-Secure Internet Gatekeeper 6.41, 6.40
|
| Risk Factor: |
Low
These versions contain the vulnerability but upgrading to the latest released versions and applying the hotfix will solve the issue.
F-Secure recommends upgrading to the latest released versions of the products: F-Secure Anti-Virus for Microsoft Exchange 6.40 and F-Secure Internet Gatekeeper 6.42.
|
| Mitigating Factors: |
- This is not considered to be a major issue because Web Console for F-Secure Anti-Virus for Microsoft Exchange and F-Secure Internet Gatekeeper are configured by default to accept local host connections only meaning that it is possible to access the Web Console only from the local machine.
- It is not possible to browse the file system. The attacker must be aware of the path and the file name to be able to access a file.
- The access rights gained are very limited. It is possible to gain only a read access to a file on the local disk.
|
| Patch Availability: |
|
|
| Credits: |
We thank Mikko Korppi for bringing this issue to our attention.
|
| Revision History: |
FSC-2005-2 - 2005-11-02
|
| Contact Information: |
Support: http://support.f-secure.com/enu/home/contactus/
Security: http://www.f-secure.com/security/
URL: http://www.f-secure.com/
|
![](/images/pixel.gif"){kind=tracking}
