FSC-2020-1: CSRF Vulnerability in Web Interface of Linux Security

Summary

Vulnerability in web user interface of the F-Secure Linux Security can lead to remotely disable product settings.

STATUS: RESOLVED

RISK LEVEL: MEDIUM

FIX: Hotfix 9 was published to fix this vulnerability. Download and instructions on: https://www.f-secure.com/en/business/downloads/linux-security

Affected Products

Corporate Products:

  • F-Secure Linux Security Version 11.00
  • F-Secure Linux Security Version 11.10

Platforms

  • All supported platforms of the affected products

More Information

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the web user interface of F-Secure Linux Security. An unauthenticated user can send the CSRF request to the web user interface. A successful attack can lead to the product settings being disabled remotely through the web interface. These include antivirus, the firewall, and the integrity protection settings.

This issue and a Proof-of-Concept exploit was reported privately to F-Secure as part of our Vulnerability Reward Program. No known attacks have been reported or observed in the wild.

Mitigating Factors

When configuring the Linux Security 11-series, the administrator should not browse to further sites until configuration is complete and they have signed out of the web interface.

Fix Available

Product Versions Fix
F-Secure Linux Security

11.00
11.10

Hotfix 9 was published to fix this vulnerability. Download and instructions on:
https://www.f-secure.com/en/business/downloads/linux-security
     

Credits

F-Secure Corporation would like to thank Tomas Bortoli (tomasbortoli@gmail.com) for bringing this issue to our attention.

Date Issued: 2020-05-19