Security Advisories

FSC-2019-1: Local Code Execution Vulnerability in F-Secure Windows Endpoint Protection Products

Description

F-Secure installer is prone to a local arbitrary code-execution vulnerability because it fails to sanitize user-supplied input.

Status: Fixed

Action required: No user action is required, but customers who have previously downloaded the installer should ensure they download the fixed version for future deployments.

Affected Products

Risk Level (Low/Medium/High/Critical): Low

  • F-Secure Server Security Premium/ Standard
  • F-Secure Email and Server Security Premium / Standard
  • F-Secure PSB Email and Server Security 
  • F-Secure PSB Workstation Security

Platforms

Risk Level (Low/Medium/High/Critical): Low

  • All supported platforms for the affected products

More Information

A vulnerability affecting most F-Secure Windows endpoint protection products was discovered whereby the attacker has a possibility to replace the fssetup.exe binary that participates in the installation procedure. Fssetup.exe is unpacked at the general user-accessible path and can be launched with administrator privileges.

This issue and a Proof-of-Concept exploit were reported privately to F-Secure as part of our Vulnerability Reward Program. No known attacks have been reported or observed in the wild.

Mitigating Factors

An attacker must have file creation rights on the machine prior to successful exploitation.

Fix Available

As the issue is only exploitable during the installation process, there is no need to reinstall the product. Customers who have previously downloaded the installer should ensure they download the fixed version for future deployments.

 

Product Versions Fix
F-Secure Server Security Premium/ Standard 12.12 No user action is required. A fixed new installer is available on https://www.f-secure.com/en/web/business_global/downloads/server-security
F-Secure Email and Server Security Premium / Standard 12.12 No user action is required. A fixed new installer is available on https://www.f-secure.com/en/web/business_global/downloads/email-and-server-security
F-Secure PSB Email and Server Security 12.10 No user action is required. A fixed new installer will be available on the PSB Portal software download page.
F-Secure PSB Workstation Security 12.01 No user action is required. A fixed new installer will be available on Portal software download page.

 

Credits

F-Secure Corporation would like to thank Pierre-Alexandre Braeken for bringing this issue to our attention.

Date Issued: 2019-02-05