Security Advisories

FSC-2015-2: Path traversal vulnerability

Description

During internal testing, F-Secure identified a path traversal vulnerability in the database update component.

Affected Products

  • Risk Level (Low/Medium/High/Cricital) High

Corporate products:

  • F-Secure Client Security 10.0 - 11.60
  • F-Secure Client Security Premium 11.0 - 11.60
  • F-Secure Anti-Virus for Workstations 10.0 - 11.60
  • F-Secure Server Security 10.00 - 11.01
  • F-Secure Server Security Premium 11.00 - 11.01
  • F-Secure Email and Server Security 10.00 - 11.01
  • F-Secure Email and Server Security Premium 10.00 - 11.01
  • F-Secure Policy Manager for Windows 10.10 - 11.30
  • F-Secure Protection Service for Business (PSB) Workstation Security 10.00 - 10.10
  • F-Secure Protection Service for Business (PSB) Server Security 10.00 - 11.00
  • F-Secure Protection Service for Business (PSB) Email and Server Security 10.00 - 11.00
  • F-Secure Linux Security 10.00 - 10.20
  • F-Secure Internet Gatekeeper 4.11 - 5.20
  • F-Secure Policy Manager for Linux 10.10 - 11.30
  • F-Secure Internet Gatekeeper for Virtual Appliance 5.20
  • F-Secure Scanning and Reputation Server 11.00

Consumer products:

  • F-Secure Safe Anywhere PC 12.0 – 15.1
  • F-Secure Safe Anywhere Mac
  • F-Secure Internet Security 2013 - 2015
  • F-Secure Anti-Virus 2013 - 2015
  • Younited clients
  • F-Secure Online Scanner 6.2
  • F-Secure Ultralight Anti-Virus (beta)

Platforms

  • Risk Level (Low/Medium/High/Cricital) High
  • All supported platforms for the affected products

More Information

During internal testing in F-Secure, it was discovered that it is possible for a remote attacker to perform path traversal against the update channel through a Man-in-the-Middle (MITM) attack. The effect of this upon successful exploitation is that an attacker can replace any file on an affected system.

This advisory will be updated as additional information becomes available.

Note: Appropriate fixes have been applied to all F-Secure backend systems prior to the security advisory release.

Fix Available

Product/Platform Versions Remarks
F-Secure Client Security (Standard & Premium) 10.00 - 11.60 As the 10.x version of this product has reach End-of-Life and is no longer supported, please upgrade to the latest product version and apply the latest hotfixes.
F-Secure Anti-Virus for Workstations 10.0 - 11.60 As the 10.x version of this product has reach End-of-Life and is no longer supported, please upgrade to the latest product version and apply the latest hotfixes.
F-Secure Server Security (Standard & Premium) 10.00 - 11.01 As the 10.x version of this product has reach End-of-Life and is no longer supported, please upgrade to the latest product version and apply the latest hotfixes.
F-Secure Email and Server Security (Standard & Premium) 10.00 - 11.01 As the 10.x version of this product has reach End-of-Life and is no longer supported, please upgrade to the latest product versionand apply the latest hotfixes.
F-Secure Policy Manager for Windows 10.10 - 11.30 As the 10.x version of this product has reach End-of-Life and is no longer supported, please upgrade to the latest product versionand apply the latest hotfixes.
F-Secure Protection Service for Business (PSB) Workstation Security 10.00 - 10.10 Multifix has been deployed and made available.
Version 10.00 - PSB WKS 10.00 Multifix 04
Version 10.10 - PSB WKS 10.10 Multifix 01
F-Secure Protection Service for Business (PSB) Server Security 10.00 - 11.00 Multifix has been deployed and made available.
Version 10.00 - PSB ESS 10.00 Multifix 04
Version 11.00 - PSB ESS 11.00 Multifix 02
F-Secure Protection Service for Business (PSB) Email and Server Security 10.00 - 11.00 Multifix has been deployed and made available.
Version 10.00 - PSB ESS 10.00 Multifix 04
Version 11.00 - PSB ESS 11.00 Multifix 02
F-Secure Linux Security 10.00 - 10.20 As the 10.x version of this product has reach End-of-Life and is no longer supported, please upgrade to the latest product version.
F-Secure Internet Gatekeeper 4.11 - 5.20

Hotfix for 4.x version: https://download.f-secure.com/corpro/igk/igk4.12/fsigk-4.xx-hf2.tar.gz

Hotfix for 5.x version: https://download.f-secure.com/corpro/igk/current/fsigk-5.xx-hf1.tar.gz

Note: For IGK 5.00 and prior to 4.11, upgrade to the latest available release (5.20 and 4.12) before applying the corresponding hotfix.

Recommendation: IGK 4.03-4.10 should upgrade to the latest supported version.

F-Secure Policy Manager for Linux 10.10 - 11.30

Hotfix for 11.x version: https://download.f-secure.com/corpro/pm_linux/pm_linux11.31/fspm-11.xx-linux-hotfix-1.zip

As the 10.x version of this product has reach End-of-Life and is no longer supported, please upgrade to the latest product version and apply the latest hotfixes.

F-Secure Internet Gatekeeper for Virtual Appliance  
  1. Download and re-install the latest version of the appliance.
  2. Verify the latest appliance version by opening the management console and checking the full version shown in the login screen:
  • IGK VA:5.20.646.15
F-Secure Scanning and Reputation Server 11.00
  1. Download and re-install the latest version of the appliance.
  2. Verify the latest appliance version by opening the management console and checking the full version shown in the login screen:
  • SRS ESXi: 11.00.556.179
  • SRS Hyper-V: 11.00.556.32
  • SRS XenServer: 11.00.556.87
F-Secure Safe Anywhere PC 12.0 – 15.1 Fix is available in the automatic update channel. No user actions required.
F-Secure Safe Anywhere Mac   Fix is available in the automatic update channel. Manual initiation of the installation through the notification or menu bar is required.
F-Secure Internet Security 2013 - 2015 Fix is available in the automatic update channel. No user actions required.

F-Secure Anti-Virus

  Fix is available in the automatic update channel. No user actions required.
Younited for Windows   Update to the latest client when prompted.
Younited for Mac   Update to the latest client when prompted.
F-Secure Online Scanner   Download the latest version from F-Secure Online Scanner page.
F-Secure Ultralight Anti-Virus   Fix is available in the automatic update channel. No user actions required.

Advisory Changes

Date Changes
12 March 2015 First advisory published.
24 March 2015 Updated issue description.
Updated list of affected products to include corporate products, along with fixes.
30 March 2015 Updated list of affected products to indicate Premium products.
1 April 2015 Updated list of affected products to include Internet Security and Anti-Virus.
17 May 2015 Updated Fix Available table to remove links for products that have reached End-of-Life.
11 November 2016 Updated Fix Available table to remove links for products that have reached End-of-Life.

Date Issued: 2015-03-12
Date Updated: 2016-11-11