Security Advisories
FSC-2015-3: Local privilege escalation
Description
An Access Control List (ACL) bypass in the F-Secure Gatekeeper driver allows local privilege escalation through kernel memory corruption.
Affected Products
- Risk Level (Low/Medium/High/Cricital) High
Component:
- F-Secure Gatekeeper driver - FSGK.SYS
Corporate products:
- F-Secure Client Security
- F-Secure Client Security Premium
- F-Secure Anti-Virus for Workstations
- F-Secure Server Security
- F-Secure Server Security Premium
- F-Secure Email and Server Security
- F-Secure Email and Server Security Premium
- F-Secure Protection Service for Business (PSB) Workstation Security
- F-Secure Protection Service for Business (PSB) Server Security
- F-Secure Protection Service for Business (PSB) Email and Server Security
Consumer Products:
- F-Secure Safe Anywhere PC
- F-Secure Internet Security
- F-Secure Anti-Virus
- F-Secure Ultralight Anti-Virus Beta
Platforms
- Risk Level (Low/Medium/High/Cricital) High
- Windows
More Information
It was discovered that it is possible to bypass the Access Control List (ACL) for the F-Secure Gatekeeper device driver, even when access rights is given only to an Administrator or SYSTEM account. This is caused by the missing flag of FILE_DEVICE_SECURE_OPEN when creating an object. A successful bypass of the ACL will allow an attacker to manipulate the kernel buffer allocation, resulting in a memory corruption. Successful exploitation will result in a local privilege escalation of a normal user account to an administrator or system account.
Fix Available
| Component | Version | Remark |
|---|---|---|
| fsgk.sys | 10.80.110.65 | Fix is available in the automatic update channel for all affected products. No user action is needed if automatic updates is enabled. |
Credits
F-Secure Corporation would like to thank Ilja van Sprundel from IOActive and Thierry Decroix for bringing this issue to our attention.
Date Issued: 2015-09-01