Security Advisories

FSC-2019-02: Local Code Execution Vulnerability in F-Secure Windows Endpoint Protection Product installers

Summary

A DLL pre-loading vulnerability in F-Secure installers can lead to arbitrary code-execution during installation. 

STATUS: RESOLVED

ACTION REQUIRED: No user action is required, except for environments using F-Secure Policy Manager; see details below.

RISK LEVEL: MEDIUM

FIX: As the issue is only exploitable during the installation process, there is no need to reinstall the product. Only for environments using F-Secure Policy Manager may the administrator need to fetch new installers; see details below. In all other environments is the automatic update channel used during installation.

Affected Products

Consumer Products:

  • F-Secure SAFE for Windows
  • F-Secure Internet Security
  • F-Secure Anti-Virus

Corporate Products:

  • F-Secure Client Security Standard and Premium
  • F-Secure PSB Workstation Security
  • F-Secure Computer Protection Standard and Premium

 

Platforms

  • Windows 

More Information

A vulnerability affecting most F-Secure Windows endpoint protection products was discovered whereby a planted DLL file would get executed during installation of the product. This would result in local privilege escalation on the endpoint.

This issue and a Proof-of-Concept exploit was reported privately to F-Secure as part of our Vulnerability Reward Program. No known attacks have been reported or observed in the wild.

Mitigating Factors

An attacker must have file creation rights on the machine prior to successful exploitation.

Available fix

As the issue is only exploitable during the installation process, there is no need to reinstall the product. Only for environments using F-Secure Policy Manager may the administrator need to fetch new installers; see details below. In all other environments is the automatic update channel used during installation.

Consumer products:

Product Versions Fix
F-Secure SAFE for Windows 17.6 No user actions needed. Fix has been released in the automatic update channel since 6th May 2019.
F-Secure Internet Security 17.6 No user actions needed. Fix has been released in the automatic update channel since 6th May 2019.
F-Secure Anti-Virus 17.6 No user actions needed. Fix has been released in the automatic update channel since 6th May 2019.

Corporate products:

Product Versions Fix
F-Secure Client Security Standard and Premium 14.0x A fix has been released in the automatic update channel since 30th April 2019. User action is required for local MSI installation this need be re-exported with Policy Manager 14.10 to fix this vulnerability. Customer who is running Policy Manager 14.0x version must upgrade to Policy Manager 14.10 to fix this vulnerability in CS.14.0x No user actions required for centralized installation with Policy Manager 14.10.
F-Secure PSB Workstation Security 12.01 No user action is required. A fix has been released in the automatic update channel since 30th April 2019.
F-Secure Computer Protection Standard and Premium 19.3 No user action is required. A fix has been released in the automatic update channel since 13th May 2019.

Credits

F-Secure Corporation would like to thank Conor McErlane for bringing this issue to our attention.

Date Issued: 2019-05-16