FSC-2019-1: Local Code Execution Vulnerability in F-Secure Windows Endpoint Protection Products

F-Secure installer is prone to a local arbitrary code-execution vulnerability because it fails to sanitize user-supplied input.

Status: Fixed

Action required: No user action is required, but customers who have previously downloaded the installer should ensure they download the fixed version for future deployments.

• F-Secure Server Security Premium/Standard
• F-Secure Email and Server Security Premium/Standard
• F-Secure PSB Email and Server Security 
• F-Secure PSB Workstation Security

• All supported platforms for the affected products

A vulnerability affecting most F-Secure Windows endpoint protection products was discovered whereby the attacker has a possibility to replace the fssetup.exe binary that participates in the installation procedure. Fssetup.exe is unpacked at the general user-accessible path and can be launched with administrator privileges.

This issue and a Proof-of-Concept exploit were reported privately to F-Secure as part of our Vulnerability Reward Program. No known attacks have been reported or observed in the wild.

An attacker must have file creation rights on the machine prior to successful exploitation.

As the issue is only exploitable during the installation process, there is no need to reinstall the product. Customers who have previously downloaded the installer should ensure they download the fixed version for future deployments.

F-Secure Corporation would like to thank Pierre-Alexandre Braeken for bringing this issue to our attention.

Date Issued: 2019-02-05