Security Advisories

FSC-2019-3: Unauthenticated Remote Code Execution in F-Secure Internet Gatekeeper

Description

Vulnerability in web user interface of the F-Secure Internet Gatekeeper can lead to remote code execution.

STATUS: RESOLVED.

ACTION REQUIRED: User action is required; see details below.

RISK LEVEL: CRITICAL.

Affected Products

Corporate Products:

F-Secure Internet Gatekeeper version 5.50 and below
F-Secure Internet Gatekeeper Virtual Appliance version 5.50 and below

Platforms

All supported platforms for the affected products

More Information

A vulnerability was discovered in the web user interface of the F-Secure Internet Gatekeeper product. An unauthenticated user can cause a heap overflow by issuing a malformed HTTP request to the web user interface. A successful attack can lead to remote code execution on the F-Secure Internet Gatekeeper server.

This issue and a Proof-of-Concept exploit was reported privately to F-Secure as part of our Vulnerability Reward Program. No known attacks have been reported or observed in the wild.

Fix Available

Product	Versions	Fix
F-Secure Internet Gatekeeper	5.40 – 5.50	Hotfix 8 has been published to fix this vulnerability. Download and instructions on: https://www.f-secure.com/en/web/business_global/downloads/internet-gatekeeper Note: Security hotfix is only released for version 5.40 – 5.50, as per our Support Policy. Users with older versions are advised to upgrade to a newer version which has security hotfixes support.
F-Secure Internet Gatekeeper Virtual Appliance	5.40 – 5.50	Hotfix 8 has been published to fix this vulnerability. Download and instructions on: https://www.f-secure.com/en/web/business_global/downloads/internet-gatekeeper Note: Security hotfix is only released for FSIGKVA version 5.40 – 5.50, as per our Support Policy. Users with older versions are advised to upgrade to a newer version which has security hotfixes support.

Product

Versions

Fix

F-Secure Internet Gatekeeper

5.40 – 5.50

Hotfix 8 has been published to fix this vulnerability. Download and instructions on:
https://www.f-secure.com/en/web/business_global/downloads/internet-gatekeeper

Note:
Security hotfix is only released for version 5.40 – 5.50, as per our Support Policy. Users with older versions are advised to upgrade to a newer version which has security hotfixes support.

F-Secure Internet Gatekeeper Virtual Appliance

5.40 – 5.50

Hotfix 8 has been published to fix this vulnerability. Download and instructions on:
https://www.f-secure.com/en/web/business_global/downloads/internet-gatekeeper

Note:
Security hotfix is only released for FSIGKVA version 5.40 – 5.50, as per our Support Policy. Users with older versions are advised to upgrade to a newer version which has security hotfixes support.

Credits

F-Secure Corporation would like to thank Kevin Joensen for bringing this issue to our attention.

Date Issued: 2019-07-11