Security Advisories
FSC-2019-02: Local Code Execution Vulnerability in F-Secure Windows Endpoint Protection Product installers
Summary
A DLL pre-loading vulnerability in F-Secure installers can lead to arbitrary code-execution during installation.
STATUS: RESOLVED
ACTION REQUIRED: No user action is required, except for environments using F-Secure Policy Manager; see details below.
RISK LEVEL: MEDIUM
FIX: As the issue is only exploitable during the installation process, there is no need to reinstall the product. Only for environments using F-Secure Policy Manager may the administrator need to fetch new installers; see details below. In all other environments is the automatic update channel used during installation.
Affected Products
Consumer Products:
- F-Secure SAFE for Windows
- F-Secure Internet Security
- F-Secure Anti-Virus
Corporate Products:
- F-Secure Client Security Standard and Premium
- F-Secure PSB Workstation Security
- F-Secure Computer Protection Standard and Premium
Platforms
- Windows
More Information
A vulnerability affecting most F-Secure Windows endpoint protection products was discovered whereby a planted DLL file would get executed during installation of the product. This would result in local privilege escalation on the endpoint.
This issue and a Proof-of-Concept exploit was reported privately to F-Secure as part of our Vulnerability Reward Program. No known attacks have been reported or observed in the wild.
Mitigating Factors
An attacker must have file creation rights on the machine prior to successful exploitation.
Available fix
As the issue is only exploitable during the installation process, there is no need to reinstall the product. Only for environments using F-Secure Policy Manager may the administrator need to fetch new installers; see details below. In all other environments is the automatic update channel used during installation.
Consumer products:
| Product | Versions | Fix |
|---|---|---|
| F-Secure SAFE for Windows | 17.6 | No user actions needed. Fix has been released in the automatic update channel since 6th May 2019. |
| F-Secure Internet Security | 17.6 | No user actions needed. Fix has been released in the automatic update channel since 6th May 2019. |
| F-Secure Anti-Virus | 17.6 | No user actions needed. Fix has been released in the automatic update channel since 6th May 2019. |
Corporate products:
| Product | Versions | Fix |
|---|---|---|
| F-Secure Client Security Standard and Premium | 14.0x | A fix has been released in the automatic update channel since 30th April 2019. User action is required for local MSI installation this need be re-exported with Policy Manager 14.10 to fix this vulnerability. Customer who is running Policy Manager 14.0x version must upgrade to Policy Manager 14.10 to fix this vulnerability in CS.14.0x No user actions required for centralized installation with Policy Manager 14.10. |
| F-Secure PSB Workstation Security | 12.01 | No user action is required. A fix has been released in the automatic update channel since 30th April 2019. |
| F-Secure Computer Protection Standard and Premium | 19.3 | No user action is required. A fix has been released in the automatic update channel since 13th May 2019. |
Credits
F-Secure Corporation would like to thank Conor McErlane for bringing this issue to our attention.
Date Issued: 2019-05-16