FSC-2020-1: CSRF Vulnerability in Web Interface of Linux Security
Summary
Vulnerability in web user interface of the F-Secure Linux Security can lead to remotely disable product settings.
STATUS: RESOLVED
RISK LEVEL: MEDIUM
FIX: Hotfix 9 was published to fix this vulnerability. Download and instructions on: https://www.f-secure.com/en/business/downloads/linux-security
Affected Products
Corporate Products:
- F-Secure Linux Security Version 11.00
- F-Secure Linux Security Version 11.10
Platforms
- All supported platforms of the affected products
More Information
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the web user interface of F-Secure Linux Security. An unauthenticated user can send the CSRF request to the web user interface. A successful attack can lead to the product settings being disabled remotely through the web interface. These include antivirus, the firewall, and the integrity protection settings.
This issue and a Proof-of-Concept exploit was reported privately to F-Secure as part of our Vulnerability Reward Program. No known attacks have been reported or observed in the wild.
Mitigating Factors
When configuring the Linux Security 11-series, the administrator should not browse to further sites until configuration is complete and they have signed out of the web interface.
Fix Available
| Product | Versions | Fix |
|---|---|---|
| F-Secure Linux Security | 11.00 |
Hotfix 9 was published to fix this vulnerability. Download and instructions on: https://www.f-secure.com/en/business/downloads/linux-security |
Credits
F-Secure Corporation would like to thank Tomas Bortoli (tomasbortoli@gmail.com) for bringing this issue to our attention.
Date Issued: 2020-05-19