| Date issued |
2006-11-29 |
| Last updated |
2006-11-29 |
| Risk factor |
Medium (Low/Medium/High/Critical) |
| Brief description |
OpenSSL has released a security advisory on several vulnerabilities on OpenSSL. These vulnerabilities in OpenSSL can cause Denial of Service Attacks, buffer overflows or client crashes. F-Secure products are only affected by the possible ASN.1-related DoS attacks. (CVE-2006-2937) Versions of F-Secure Anti-Virus for Microsoft Exchange and F-Secure Internet Gatekeeper use OpenSSL in the administrator web interface. By default the access to the web interface is accepted only from the same host but it can be configured to be also accessible from the network.
|
| Software |
F-Secure Anti-Virus for Microsoft Exchange
F-Secure Internet Gatekeeper
|
| Affected versions |
F-Secure Anti-Virus for Microsoft Exchange 6.40 and 6.60
F-Secure Internet Gatekeeper 6.40, 6.41, 6.42, 6.50 and 6.60
|
| Affected platforms |
All platforms supported by the affected products |
| Bulletin location |
http://www.f-secure.com/security/fsc-2006-6.shtml |
 |
| Issue: |
OpenSSL released a security advisory on September 28th 2006 concerning four security issues. The OpenSSL Advisory is located at http://www.openssl.org/news/secadv_20060928.txt. F-Secure Anti-Virus for Microsoft Exchange and F-Secure Internet Gatekeeper use OpenSSL. The OpenSSL announcement lists four different vulnerabilities. Only ASN.1 Denial of Service Attacks (CVE-2006-2937) affects our products. Other vulnerabilities (CVE-2006-2940, CVE-2006-3738 and CVE-2006-4343) do not affect F-Secure products.
A fixed version has been made available to our customers using F-Secure Anti-Virus for Exchange or F-Secure Internet Gatekeeper. To solve the problem apply the appropriate hotfix or update the product.
Please note that F-Secure Anti-Virus for Microsoft Exchange 6.61 is not affected by these vulnerabilities. |
| Products: |
F-Secure Anti-Virus for Microsoft Exchange 6.40 and 6.60
F-Secure Internet Gatekeeper 6.40, 6.41, 6.42, 6.50 and 6.60
|
| Scenario 1: |
Default configuration. Web Console is configured by default to accept connections only from the local host.
|
| Risk Factor: |
Medium
There is a possibility to exploit the vulnerabilities from the local host.
To solve the problem apply the appropriate hotfix and/or update the product.
|
| Scenario 2: |
Web Console is configured to allow connections from specific/trusted hosts.
|
| Risk Factor: |
Medium
There is a possibility to exploit the vulnerabilities from the hosts that are on the trusted hosts list.
To solve the problem apply the appropriate hotfix and/or update the product.
|
| Scenario 3: |
The Web Console is configured to allow connections from all hosts.
|
| Risk Factor: |
Critical
There is a possibility to exploit the vulnerabilities from all the hosts.
To solve the problem apply the appropriate hotfix and/or update the product.
|
| Mitigating Factors: |
Web Console for F-Secure Anti-Virus for Microsoft Exchange and F-Secure Internet Gatekeeper are configured by default to accept local host connections only. This means that it is possible to access the Web Console only from the local machine.
|
| Patch availability: |
|
|
| Revision History: |
FSC-2006-6 - 2006-11-29
|
