Security Advisories

FSC-2015-2: Path traversal vulnerability

Description

During internal testing, F-Secure identified a path traversal vulnerability in the database update component.

Affected Products

Risk Level (Low/Medium/High/Critical): High

Corporate products

  • F-Secure Client Security 10.0 - 11.60
  • F-Secure Client Security Premium 11.0 - 11.60
  • F-Secure Anti-Virus for Workstations 10.0 - 11.60
  • F-Secure Server Security 10.00 - 11.01
  • F-Secure Server Security Premium 11.00 - 11.01
  • F-Secure Email and Server Security 10.00 - 11.01
  • F-Secure Email and Server Security Premium 10.00 - 11.01
  • F-Secure Policy Manager for Windows 10.10 - 11.30
  • F-Secure Protection Service for Business (PSB) Workstation Security 10.00 - 10.10
  • F-Secure Protection Service for Business (PSB) Server Security 10.00 - 11.00
  • F-Secure Protection Service for Business (PSB) Email and Server Security 10.00 - 11.00
  • F-Secure Linux Security 10.00 - 10.20
  • F-Secure Internet Gatekeeper 4.11 - 5.20
  • F-Secure Policy Manager for Linux 10.10 - 11.30
  • F-Secure Internet Gatekeeper for Virtual Appliance 5.20
  • F-Secure Scanning and Reputation Server 11.00

Consumer products

  • F-Secure Safe Anywhere PC 12.0 – 15.1
  • F-Secure Safe Anywhere Mac
  • F-Secure Internet Security 2013 - 2015
  • F-Secure Anti-Virus 2013 - 2015
  • Younited clients
  • F-Secure Online Scanner 6.2
  • F-Secure Ultralight Anti-Virus (beta)

Platforms

Risk Level (Low/Medium/High/Critical): High

  • All supported platforms for the affected products

More Information

During internal testing in F-Secure, it was discovered that it is possible for a remote attacker to perform path traversal against the update channel through a Man-in-the-Middle (MITM) attack. The effect of this upon successful exploitation is that an attacker can replace any file on an affected system.

This advisory will be updated as additional information becomes available.

Note: Appropriate fixes have been applied to all F-Secure backend systems prior to the security advisory release.

Fix Available

Product/Platform Versions Remarks

F-Secure Client Security (Standard & Premium)

10.00 - 11.60

As the 10.x version of this product has reach End-of-Life and is no longer supported, please upgrade to the latest product version and apply the latest hotfixes.

F-Secure Anti-Virus for Workstations

10.0 - 11.60

As the 10.x version of this product has reach End-of-Life and is no longer supported, please upgrade to the latest product version and apply the latest hotfixes.

F-Secure Server Security (Standard & Premium)

10.00 - 11.01

As the 10.x version of this product has reach End-of-Life and is no longer supported, please upgrade to the latest product version and apply the latest hotfixes.

F-Secure Email and Server Security (Standard & Premium)

10.00 - 11.01

As the 10.x version of this product has reach End-of-Life and is no longer supported, please upgrade to the latest product versionand apply the latest hotfixes.

F-Secure Policy Manager for Windows

10.10 - 11.30

As the 10.x version of this product has reach End-of-Life and is no longer supported, please upgrade to the latest product versionand apply the latest hotfixes.

F-Secure Protection Service for Business (PSB) Workstation Security

10.00 - 10.10

Multifix has been deployed and made available.
Version 10.00 - PSB WKS 10.00 Multifix 04
Version 10.10 - PSB WKS 10.10 Multifix 01

F-Secure Protection Service for Business (PSB) Server Security

10.00 - 11.00

Multifix has been deployed and made available.
Version 10.00 - PSB ESS 10.00 Multifix 04
Version 11.00 - PSB ESS 11.00 Multifix 02

F-Secure Protection Service for Business (PSB) Email and Server Security

10.00 - 11.00

Multifix has been deployed and made available.
Version 10.00 - PSB ESS 10.00 Multifix 04
Version 11.00 - PSB ESS 11.00 Multifix 02

F-Secure Linux Security

10.00 - 10.20

As the 10.x version of this product has reach End-of-Life and is no longer supported, please upgrade to the latest product version.

F-Secure Internet Gatekeeper

4.11 - 5.20

Hotfix for 4.x version: https://download.f-secure.com/corpro/igk/igk4.12/fsigk-4.xx-hf2.tar.gz

Hotfix for 5.x version: https://download.f-secure.com/corpro/igk/current/fsigk-5.xx-hf1.tar.gz

Note: For IGK 5.00 and prior to 4.11, upgrade to the latest available release (5.20 and 4.12) before applying the corresponding hotfix.

Recommendation: IGK 4.03-4.10 should upgrade to the latest supported version.

F-Secure Policy Manager for Linux

10.10 - 11.30

Hotfix for 11.x version: https://download.f-secure.com/corpro/pm_linux/pm_linux11.31/fspm-11.xx-linux-hotfix-1.zip

As the 10.x version of this product has reach End-of-Life and is no longer supported, please upgrade to the latest product version and apply the latest hotfixes.

F-Secure Internet Gatekeeper for Virtual Appliance

 

  1. Download and re-install the latest version of the appliance.
  2. Verify the latest appliance version by opening the management console and checking the full version shown in the login screen:
  • IGK VA:5.20.646.15

F-Secure Scanning and Reputation Server

11.00

  1. Download and re-install the latest version of the appliance.
  2. Verify the latest appliance version by opening the management console and checking the full version shown in the login screen:
  • SRS ESXi: 11.00.556.179
  • SRS Hyper-V: 11.00.556.32
  • SRS XenServer: 11.00.556.87

F-Secure Safe Anywhere PC

12.0 – 15.1

Fix is available in the automatic update channel. No user actions required.

F-Secure Safe Anywhere Mac

 

Fix is available in the automatic update channel. Manual initiation of the installation through the notification or menu bar is required.

F-Secure Internet Security

2013 - 2015

Fix is available in the automatic update channel. No user actions required.

F-Secure Anti-Virus

2013 - 2015

Fix is available in the automatic update channel. No user actions required.

Younited for Windows

 

Update to the latest client when prompted.

Younited for Mac

 

Update to the latest client when prompted.

F-Secure Online Scanner

 

Download the latest version from https://www.f-secure.com/en/web/home_global/online-scanner

F-Secure Ultralight Anti-Virus

 

Fix is available in the automatic update channel. No user actions required.

Advisory history

Date Changes

11 Nov 2016

Updated Fix Available table to remove links for products that have reached End-of-Life.

17 May 2016

Updated Fix Available table to remove links for products that have reached End-of-Life.

1 April 2015

Updated list of affected products to include Internet Security and Anti-Virus.

30 March 2015

Updated list of affected products to indicate Premium products.

24 March 2015

Updated issue description.
Updated list of affected products to include corporate products, along with fixes.

12 March 2015

First advisory published.

Date Issued: 2015-03-12
Date Updated: 2016-11-11