F-Secure installer is prone to a local arbitrary code-execution vulnerability because it fails to sanitize user-supplied input.
Status: Fixed
Action required: No user action is required, but customers who have previously downloaded the installer should ensure they download the fixed version for future deployments.
A vulnerability affecting most F-Secure Windows endpoint protection products was discovered whereby the attacker has a possibility to replace the fssetup.exe binary that participates in the installation procedure. Fssetup.exe is unpacked at the general user-accessible path and can be launched with administrator privileges.
This issue and a Proof-of-Concept exploit were reported privately to F-Secure as part of our Vulnerability Reward Program. No known attacks have been reported or observed in the wild.
An attacker must have file creation rights on the machine prior to successful exploitation.
As the issue is only exploitable during the installation process, there is no need to reinstall the product. Customers who have previously downloaded the installer should ensure they download the fixed version for future deployments.
Product | Versions | Fix |
---|---|---|
F-Secure Server Security Premium/Standard | 12.12 |
No user action is required. A fixed new installer is available on here |
F-Secure Email and Server Security Premium/Standard | 12.12 | No user action is required. A fixed new installer is available on here |
F-Secure PSB Email and Server Security |
12.10 | No user action is required. A fixed new installer will be available on the PSB Portal software download page. |
F-Secure PSB Workstation Security |
12.01 |
No user action is required. A fixed new installer will be available on Portal software download page. |
F-Secure Corporation would like to thank Pierre-Alexandre Braeken for bringing this issue to our attention.
Date Issued: 2019-02-05