F-Secure Security Bulletin FSC-2008-1/FSC-2007-7
Vulnerabilities in scanning of specially crafted CAB and RAR archives

Date issued	2008-02-13
Last updated	2008-02-19
Risk factor	High (Low/Medium/High/Critical)
Brief description	Specially crafted CAB and RAR archives can bypass antivirus scanning.
Affected platforms	All supported platforms
Clients:
Products:	F-Secure Internet Security 2008 F-Secure Internet Security 2007 Second Edition F-Secure Internet Security 2007 F-Secure Internet Security 2006 F-Secure Anti-Virus 2008 F-Secure Anti-Virus 2007 Second Edition F-Secure Anti-Virus 2007 F-Secure Anti-Virus 2006 F-Secure Client Security 7.10 F-Secure Client Security 7.01 F-Secure Anti-Virus Client Security 6.04 F-Secure Anti-Virus Client Security 6.03 F-Secure Anti-Virus for Workstations 7.10 F-Secure Anti-Virus for Workstations 7.00 F-Secure Anti-Virus for Workstations 5.44 F-Secure Anti-Virus Linux Client Security 5.53 F-Secure Anti-Virus Linux Client Security 5.52 F-Secure Anti-Virus for Linux 4.65 Solutions based on F-Secure Protection Service for Consumers version 7.00 and earlier Solutions based on F-Secure Protection Service for Business version 3.00 and earlier
Risk Factor:	Medium User is able to move infected archives to and from client, but client does not get infected.
Mitigating Factors:	Exploitation of these vulnerabilities requires specially crafted archives The CAB issue has been fixed automatically in F-Secure database updates, while fixing the RAR archive scanning requires installing the hotfix below. Client software catches hostile content after CAB/RAR container is opened thus making infection impossible
Servers:
Products:	F-Secure Anti-Virus for Windows Servers 7.00 F-Secure Anti-Virus for Windows Servers 5.52 F-Secure Anti-Virus for Citrix Servers 5.52 F-Secure Anti-Virus Linux Server Security 5.53 F-Secure Anti-Virus Linux Server Security 5.52
Risk Factor:	Medium User is able to move infected content to and from servers
Mitigating Factors:	Exploitation of these vulnerabilities requires specially crafted archives The CAB issue has been fixed automatically in F-Secure database updates, while fixing the RAR archive scanning requires installing the hotfix below. Server software does not scan by default CAB/RAR packed content. When the container is opened the exposed content is scanned thus making infection impossible.
Gateways:
Products:	F-Secure Anti-Virus for Microsoft Exchange 7.0 F-Secure Anti-Virus for Microsoft Exchange 6.62 F-Secure Internet Gatekeeper 6.61, Windows F-Secure Internet Gatekeeper for Linux 2.16 F-Secure Anti-Virus for MIMEsweeper 5.61 F-Secure Messaging Security Gateway 4.0.7 and earlier
Risk Factor:	High The gateway passes archives unscanned
Mitigating Factors:	Exploitation of these vulnerabilities requires specially crafted archives The CAB issue has been fixed automatically in F-Secure database updates, while fixing the RAR archive scanning requires installing the hotfix below.
Bulletin location	http://www.f-secure.com/security/fsc-2008-1.shtml
Patch availability:
Product Versions Hotfix ID Download F-Secure Anti-Virus Client Security 6.03 6.04 fsavwk604-01 ftp://ftp.f-secure.com/support/hotfix/fsavcs/fsavwk604-01-signed.fsfix F-Secure Client Security 7.01-7.10 fsav741-02 ftp://ftp.f-secure.com/support/hotfix/fsavcs/fsav741-02-signed.fsfix F-Secure Anti-Virus for Workstations 5.44 fsavwk572-01 ftp://ftp.f-secure.com/support/hotfix/fsav/fsavwk572-01-signed.fsfix F-Secure Anti-Virus for Workstations 7.00-7.10 fsav741-02 ftp://ftp.f-secure.com/support/hotfix/fsav/fsav741-02-signed.fsfix F-Secure Anti-Virus for Windows Servers 5.52 fsavsr552-14 ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsavsr552-14-signed.fsfix F-Secure Anti-Virus for Windows Servers 7.00 fsav720-03 ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsav720-03-signed.fsfix F-Secure Anti-Virus for Citrix Servers 5.52 fsavsr552-14 ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsavsr552-14-signed.fsfix F-Secure Anti-Virus Linux Client Security 5.52 New product build#7020 http://www.f-secure.com/webclub/fscsl.html F-Secure Anti-Virus Linux Client Security 5.53 New product build#7020 http://www.f-secure.com/webclub/fscsl.html F-Secure Anti-Virus Linux Server Security 5.52 New product build#7020 http://www.f-secure.com/webclub/fsssl.html F-Secure Anti-Virus Linux Server Security 5.53 New product build#7020 http://www.f-secure.com/webclub/fsssl.html F-Secure Anti-Virus for Linux Gateways 4.65 New product build#7020 http://www.f-secure.com/webclub/fsavgwl.html F-Secure Anti-Virus for Linux Servers 4.65 New product build#7020 http://www.f-secure.com/webclub/fsavsrvl.html F-Secure Anti-Virus for Microsoft Exchange 6.62 fsavmse662-04 ftp://ftp.f-secure.com/support/hotfix/fsav-mse/fsavmse662-04.zip F-Secure Anti-Virus for Microsoft Exchange 7.00 fsavmse700-01 ftp://ftp.f-secure.com/support/hotfix/fsav-mse/fsavmse700-01.zip F-Secure Internet Gatekeeper 6.61 fsigk661-01 ftp://ftp.f-secure.com/support/hotfix/fsig/fsigk661-01.zip F-Secure Internet Gatekeeper for Linux 2.16 New product build#533 http://www.f-secure.com/webclub/fsigkl.html F-Secure Anti-Virus for MIMEsweeper 5.61 fsavsr552-14 ftp://ftp.f-secure.com/support/hotfix/fsav-msw/fsavsr552-14-signed.fsfix F-Secure Messaging Security Gateway 3.x Unsupported version. Please upgrade to the latest version. F-Secure Messaging Security Gateway 4.0.6 4.0.7 Packages will be available in the update channel, and installed automatically. Protection Services For Consumers 5 and 6 Packages will be available in the update channel, and installed automatically. Protection Services For Businesses 3 Packages will be available in the update channel, and installed automatically. F-Secure Internet Security 2006, 2007, 2007 Second Edition, 2008 Packages will be available in the update channel, and installed automatically.
Credits:	F-Secure wants to thank Mr Thierry Zoller at n.runs AG for reporting these issues.
Revision History:	FSC-2008-02-19

Contact Information:
Support: http://support.f-secure.com/enu/home/contactus/
Security: http://www.f-secure.com/security/
URL: http://www.f-secure.com/