During internal testing, F-Secure identified a path traversal vulnerability in the database update component.
Corporate products:
Consumer products:
During internal testing in F-Secure, it was discovered that it is possible for a remote attacker to perform path traversal against the update channel through a Man-in-the-Middle (MITM) attack. The effect of this upon successful exploitation is that an attacker can replace any file on an affected system.
This advisory will be updated as additional information becomes available.
Note: Appropriate fixes have been applied to all F-Secure backend systems prior to the security advisory release.
Product/Platform | Versions | Remarks |
---|---|---|
F-Secure Client Security (Standard & Premium) | 10.00 - 11.60 | As the 10.x version of this product has reach End-of-Life and is no longer supported, please upgrade to the latest product version and apply the latest hotfixes. |
F-Secure Anti-Virus for Workstations | 10.0 - 11.60 | As the 10.x version of this product has reach End-of-Life and is no longer supported, please upgrade to the latest product version and apply the latest hotfixes. |
F-Secure Server Security (Standard & Premium) | 10.00 - 11.01 | As the 10.x version of this product has reach End-of-Life and is no longer supported, please upgrade to the latest product version and apply the latest hotfixes. |
F-Secure Email and Server Security (Standard & Premium) | 10.00 - 11.01 | As the 10.x version of this product has reach End-of-Life and is no longer supported, please upgrade to the latest product versionand apply the latest hotfixes. |
F-Secure Policy Manager for Windows | 10.10 - 11.30 | As the 10.x version of this product has reach End-of-Life and is no longer supported, please upgrade to the latest product versionand apply the latest hotfixes. |
F-Secure Protection Service for Business (PSB) Workstation Security | 10.00 - 10.10 | Multifix has been deployed and made available. Version 10.00 - PSB WKS 10.00 Multifix 04 Version 10.10 - PSB WKS 10.10 Multifix 01 |
F-Secure Protection Service for Business (PSB) Server Security | 10.00 - 11.00 | Multifix has been deployed and made available. Version 10.00 - PSB ESS 10.00 Multifix 04 Version 11.00 - PSB ESS 11.00 Multifix 02 |
F-Secure Protection Service for Business (PSB) Email and Server Security | 10.00 - 11.00 | Multifix has been deployed and made available. Version 10.00 - PSB ESS 10.00 Multifix 04 Version 11.00 - PSB ESS 11.00 Multifix 02 |
F-Secure Linux Security | 10.00 - 10.20 | As the 10.x version of this product has reach End-of-Life and is no longer supported, please upgrade to the latest product version. |
F-Secure Internet Gatekeeper | 4.11 - 5.20 | Hotfix for 4.x version: https://download.f-secure.com/corpro/igk/igk4.12/fsigk-4.xx-hf2.tar.gz Hotfix for 5.x version: https://download.f-secure.com/corpro/igk/current/fsigk-5.xx-hf1.tar.gz Note: For IGK 5.00 and prior to 4.11, upgrade to the latest available release (5.20 and 4.12) before applying the corresponding hotfix. |
F-Secure Policy Manager for Linux | 10.10 - 11.30 | Hotfix for 11.x version: https://download.f-secure.com/corpro/pm_linux/pm_linux11.31/fspm-11.xx-linux-hotfix-1.zip As the 10.x version of this product has reach End-of-Life and is no longer supported, please upgrade to the latest product version and apply the latest hotfixes. |
F-Secure Internet Gatekeeper for Virtual Appliance |
|
|
F-Secure Scanning and Reputation Server | 11.00 |
|
F-Secure Safe Anywhere PC | 12.0 – 15.1 | Fix is available in the automatic update channel. No user actions required. |
F-Secure Safe Anywhere Mac | Fix is available in the automatic update channel. Manual initiation of the installation through the notification or menu bar is required. | |
F-Secure Internet Security | 2013 - 2015 | Fix is available in the automatic update channel. No user actions required. |
F-Secure Anti-Virus |
Fix is available in the automatic update channel. No user actions required. | |
Younited for Windows | Update to the latest client when prompted. | |
Younited for Mac | Update to the latest client when prompted. | |
F-Secure Online Scanner | Download the latest version from F-Secure Online Scanner page. | |
F-Secure Ultralight Anti-Virus | Fix is available in the automatic update channel. No user actions required. |
Date | Changes |
---|---|
12 March 2015 | First advisory published. |
24 March 2015 | Updated issue description. Updated list of affected products to include corporate products, along with fixes. |
30 March 2015 | Updated list of affected products to indicate Premium products. |
1 April 2015 | Updated list of affected products to include Internet Security and Anti-Virus. |
17 May 2015 | Updated Fix Available table to remove links for products that have reached End-of-Life. |
11 November 2016 | Updated Fix Available table to remove links for products that have reached End-of-Life. |
Date Issued: 2015-03-12
Date Updated: 2016-11-11