Security Advisories
FSC-2015-2: Path traversal vulnerability
Description
During internal testing, F-Secure identified a path traversal vulnerability in the database update component.
Affected Products
Risk Level (Low/Medium/High/Critical): High
Corporate products
- F-Secure Client Security 10.0 - 11.60
- F-Secure Client Security Premium 11.0 - 11.60
- F-Secure Anti-Virus for Workstations 10.0 - 11.60
- F-Secure Server Security 10.00 - 11.01
- F-Secure Server Security Premium 11.00 - 11.01
- F-Secure Email and Server Security 10.00 - 11.01
- F-Secure Email and Server Security Premium 10.00 - 11.01
- F-Secure Policy Manager for Windows 10.10 - 11.30
- F-Secure Protection Service for Business (PSB) Workstation Security 10.00 - 10.10
- F-Secure Protection Service for Business (PSB) Server Security 10.00 - 11.00
- F-Secure Protection Service for Business (PSB) Email and Server Security 10.00 - 11.00
- F-Secure Linux Security 10.00 - 10.20
- F-Secure Internet Gatekeeper 4.11 - 5.20
- F-Secure Policy Manager for Linux 10.10 - 11.30
- F-Secure Internet Gatekeeper for Virtual Appliance 5.20
- F-Secure Scanning and Reputation Server 11.00
Consumer products
- F-Secure Safe Anywhere PC 12.0 – 15.1
- F-Secure Safe Anywhere Mac
- F-Secure Internet Security 2013 - 2015
- F-Secure Anti-Virus 2013 - 2015
- Younited clients
- F-Secure Online Scanner 6.2
- F-Secure Ultralight Anti-Virus (beta)
Platforms
Risk Level (Low/Medium/High/Critical): High
- All supported platforms for the affected products
More Information
During internal testing in F-Secure, it was discovered that it is possible for a remote attacker to perform path traversal against the update channel through a Man-in-the-Middle (MITM) attack. The effect of this upon successful exploitation is that an attacker can replace any file on an affected system.
This advisory will be updated as additional information becomes available.
Note: Appropriate fixes have been applied to all F-Secure backend systems prior to the security advisory release.
Fix Available
| Product/Platform | Versions | Remarks |
|---|---|---|
F-Secure Client Security (Standard & Premium) |
10.00 - 11.60 |
As the 10.x version of this product has reach End-of-Life and is no longer supported, please upgrade to the latest product version and apply the latest hotfixes. |
F-Secure Anti-Virus for Workstations |
10.0 - 11.60 | As the 10.x version of this product has reach End-of-Life and is no longer supported, please upgrade to the latest product version and apply the latest hotfixes. |
F-Secure Server Security (Standard & Premium) |
10.00 - 11.01 |
As the 10.x version of this product has reach End-of-Life and is no longer supported, please upgrade to the latest product version and apply the latest hotfixes. |
F-Secure Email and Server Security (Standard & Premium) |
10.00 - 11.01 | As the 10.x version of this product has reach End-of-Life and is no longer supported, please upgrade to the latest product versionand apply the latest hotfixes. |
F-Secure Policy Manager for Windows |
10.10 - 11.30 |
As the 10.x version of this product has reach End-of-Life and is no longer supported, please upgrade to the latest product versionand apply the latest hotfixes. |
F-Secure Protection Service for Business (PSB) Workstation Security |
10.00 - 10.10 | Multifix has been deployed and made available. |
F-Secure Protection Service for Business (PSB) Server Security | 10.00 - 11.00 | Multifix has been deployed and made available. |
F-Secure Protection Service for Business (PSB) Email and Server Security | 10.00 - 11.00 | Multifix has been deployed and made available. |
F-Secure Linux Security | 10.00 - 10.20 | As the 10.x version of this product has reach End-of-Life and is no longer supported, please upgrade to the latest product version. |
F-Secure Internet Gatekeeper | 4.11 - 5.20 | Hotfix for 4.x version: https://download.f-secure.com/corpro/igk/igk4.12/fsigk-4.xx-hf2.tar.gz Hotfix for 5.x version: https://download.f-secure.com/corpro/igk/current/fsigk-5.xx-hf1.tar.gz Note: For IGK 5.00 and prior to 4.11, upgrade to the latest available release (5.20 and 4.12) before applying the corresponding hotfix. |
F-Secure Policy Manager for Linux | 10.10 - 11.30 | Hotfix for 11.x version: https://download.f-secure.com/corpro/pm_linux/pm_linux11.31/fspm-11.xx-linux-hotfix-1.zip As the 10.x version of this product has reach End-of-Life and is no longer supported, please upgrade to the latest product version and apply the latest hotfixes. |
F-Secure Internet Gatekeeper for Virtual Appliance |
|
|
F-Secure Scanning and Reputation Server | 11.00 |
|
F-Secure Safe Anywhere PC | 12.0 – 15.1 | Fix is available in the automatic update channel. No user actions required. |
F-Secure Safe Anywhere Mac |
| Fix is available in the automatic update channel. Manual initiation of the installation through the notification or menu bar is required. |
F-Secure Internet Security | 2013 - 2015 | Fix is available in the automatic update channel. No user actions required. |
F-Secure Anti-Virus | 2013 - 2015 | Fix is available in the automatic update channel. No user actions required. |
Younited for Windows |
| Update to the latest client when prompted. |
Younited for Mac |
| Update to the latest client when prompted. |
F-Secure Online Scanner |
| Download the latest version from https://www.f-secure.com/en/web/home_global/online-scanner |
F-Secure Ultralight Anti-Virus |
| Fix is available in the automatic update channel. No user actions required. |
Advisory history
| Date | Changes |
|---|---|
| 11 Nov 2016 | Updated Fix Available table to remove links for products that have reached End-of-Life. |
| 17 May 2016 | Updated Fix Available table to remove links for products that have reached End-of-Life. |
| 1 April 2015 | Updated list of affected products to include Internet Security and Anti-Virus. |
| 30 March 2015 | Updated list of affected products to indicate Premium products. |
| 24 March 2015 | Updated issue description. |
| 12 March 2015 | First advisory published. |
Date Issued: 2015-03-12
Date Updated: 2016-11-11