| Date issued |
2007-05-30 |
| Last updated |
2007-05-29 |
| Risk factor |
Critical (Low/Medium/High/Critical) |
| Brief description |
Several F-Secure products have a buffer overflow vulnerability in processing LHA archives. This may allow an attacker to execute arbitrary code or to create a denial-of-service condition. This vulnerability is related to a similar vulnerability in GZIP program's handling of LZH-compressed archives.
|
| Software |
F-Secure's Anti-Virus products for Microsoft Windows and Linux
|
| Affected versions |
F-Secure Anti-Virus for Workstations version 5.44 and earlier
F-Secure Anti-Virus for Windows Servers version 5.52 and earlier
F-Secure Anti-Virus for Citrix Servers version 5.52
F-Secure Anti-Virus for MIMEsweeper version 5.61 and earlier
F-Secure Anti-Virus Client Security version 6.03 and earlier
F-Secure Anti-Virus for MS Exchange version 6.40 and earlier
F-Secure Internet Gatekeeper version 6.60 and earlier
F-Secure Internet Security 2005, 2006 and 2007
F-Secure Anti-Virus 2005, 2006 and 2007
Solutions based on F-Secure Protection Service for Consumers version 6.40 and earlier
F-Secure Anti-Virus for Linux Servers version 4.65 and earlier
F-Secure Anti-Virus for Linux Gateways version 4.65 and earlier
F-Secure Anti-Virus Linux Client Security 5.30 and earlier
F-Secure Anti-Virus Linux Server Security 5.30 and earlier
F-Secure Internet Gatekeeper for Linux 2.16 and earlier
|
| Affected platforms |
All platforms supported by the affected products |
| Bulletin location |
http://www.f-secure.com/security/fsc-2007-1.shtml |
 |
| Issue: |
An attacker may create a specially crafted LHA archive, which then in its decompression phase exploits the described buffer overflow vulnerability, allowing arbitrary code to be executed or the exploit to create a denial-of-service condition.
US-Cert description of GZIP vulnerability:
http://www.kb.cert.org/vuls/id/381508
|
| Products: |
F-Secure Internet Security 2005, 2006 and 2007
F-Secure Anti-Virus 2005, 2006 and 2007
Solutions based on F-Secure Protection Service for Consumers version 6.40 and earlier
|
| Risk Factor: |
High
These products contain the vulnerability but hotfixes are distributed automatically by the delivery system. Users of these products do not need to take any action. This means that virtually all affected systems in this category will be patched automatically shortly after publication of this advisory.
|
| Products: |
F-Secure Anti-Virus for Workstations 5.44 and earlier
F-Secure Anti-Virus Linux Client Security 5.30 and earlier
|
| Risk Factor: |
High
These products contain the vulnerability but successful exploration requires the user to scan the exploit with archive scanning enabled. This can happen for example during on-demand scanning or if the on-access scanner's settings have been changed. The on-access scanner is not vulnerable in its default configuration.
F-Secure recommends all users of these products to install the hotfix or upgrade to a version that is not affected (if available).
|
| Products: |
F-Secure Anti-Virus Client Security version 6.03 and earlier
|
| Risk Factor: |
High
This product contains e-mail scanning functionality. This module is vulnerable in its default configuration. This fact makes it more likely that an attack against this product will succeed compared to other affected client products. The on-access scanner in this product is not vulnerable in its default configuration.
F-Secure recommends all users of these products to install the hotfix or upgrade to a version that is not affected (if available).
|
| Server and gateway products: |
F-Secure Anti-Virus for Windows Servers 5.52 and earlier
F-Secure Anti-Virus for Citrix Servers version 5.52 and earlier
F-Secure Internet Gatekeeper 6.60 and earlier
F-Secure Anti-Virus for MS Exchange version 6.40 and earlier
F-Secure Anti-Virus Linux Server Security 5.30 and earlier
F-Secure Anti-Virus for Linux Servers version 4.65 and earlier
F-Secure Anti-Virus for Linux Gateways version 4.65 and earlier
F-Secure Internet Gatekeeper for Linux 2.16
|
| Risk Factor: |
Critical
Gateway installations that scan web (HTTP, FTP) and mail (SMTP, POP) traffic are vulnerable. These machines are typically scanning a large number of archive files with the scan inside archives setting enabled. Server products that are configured to use scheduled on-demand scans are also likely to be vulnerable. This makes products in this category the most likely target for attacks.
F-Secure recommends all users of the mentioned gateway and server products to install the hotfix or upgrade to a version that is not affected (if available).
|
| Products: |
F-Secure Anti-Virus for MIMEsweeper 5.61 and earlier
|
| Risk Factor: |
Critical
This product is vulnerable but the Clearswift MIMEsweeper product performs the archive handling under normal circumstances. The vulnerability can however be exploited if the product is used to scan the local system or if MIMEsweeper fails to recognize an archive correctly and passes it on to the F-Secure scanner.
F-Secure recommends users to apply the hotfix or upgrade to a later version (if available).
|
| Mitigating Factors: |
- The vulnerability requires that the exploit is scanned with archive scanning enabled. This is typically the case in gateway environments and scheduled scans on servers. On-access scanning does not scan inside archives in a typical configuration. This makes successful exploration of the vulnerability less likely in client environments.
- Clearswift MIMEsweeper handles archive extraction and this reduces the risk in environments that use F-Secure Anti-Virus for MIMEsweeper.
|
| Patch availability: |
|
|
| Credits: |
F-Secure wants to thank Tavis Ormandy in Google Security Team as original founder of this issue and Sergio Alvarez in n.runs AG for pinpointing another exploitation vector.
|
| Revision History: |
FSC-2007-1 - 2007-05-30
|
![](/images/pixel.gif"){kind=tracking}
