Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2004.0563 -- iDEFENSE Security Advisory 09.09.04 F-Secure Internet Gatekeeper Content Scanning Server Denial of Service Vulnerability 10 September 2004 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: F-Secure Anti-Virus for Microsoft Exchange F-Secure Internet Gatekeeper Publisher: iDEFENSE Operating System: Windows Impact: Denial of Service Access: Remote/Unauthenticated CVE Names: CAN-2004-0830 - --------------------------BEGIN INCLUDED TEXT-------------------- F-Secure Internet Gatekeeper Content Scanning Server Denial of Service Vulnerability iDEFENSE Security Advisory 09.09.04 www.idefense.com/application/poi/display?id=137&type=vulnerabilities September 9, 2004 I. BACKGROUND F-Secure Internet Gatekeeper is an antivirus and content filtering solution for protecting SMTP and HTTP traffic at the Internet gateway. Additional information is available at: http://www.f-secure.com/products/anti-virus/fsigk/ II. DESCRIPTION Remote exploitation of an input validation error in F-Secure's Internet Gatekeeper could allow attackers to trigger a denial of service against the Content Scanner Server. F-Secure Internet Gatekeeper is an automated antivirus, content filtering and access control solution for e-mail and Web traffic at the Internet Gateway. The problem specifically exists in the handling of malformed packets received by the Content Scanner on port 18,971. A denial of service condition is triggered during the parsing of the packet, causing the application to fail with an access violation error. The vulnerability does not appear to be further exploitable. III. ANALYSIS Successful exploitation allows remote attackers to crash the service. Once the server has crashed, depending on configuration options, a dialog box may appear on the desktop indicating that the FSAVSD.EXE process has crashed. Once this has been cleared, or if there is no dialog box, the server will automatically restart after approximately 30 to 40 seconds. During this time, the server will not respond to any requests made of it. It is possible to cause the server to fail repeatedly by sending packets at short intervals. IV. DETECTION iDEFENSE has confirmed that F-Secure Internet Gatekeeper Server 6.31 build 33 is vulnerable. The vendor has reported that the following versions are vulnerable: - F-Secure Anti-Virus for Microsoft Exchange 6.21 and earlier - F-Secure Anti-Virus for Microsoft Exchange 6.01 and earlier - F-Secure Internet Gatekeeper 6.32 and earlier V. WORKAROUND Vendor supplied workaround: The product can be configured so that only allowed connections are accepted by the F-Secure Content Scanner Server. - - Configure CSS to accept connections only from known IP addresses: * In F-Secure Policy Manager Console, go to F-Secure Content Scanner Server>Settings>Interface and in the "Accept Connections" setting specify the comma-separated list of IP addresses the server will accept requests from. * In the local user interface, a similar setting can be found on the Interface tab page under the Server/Interface category. VI. VENDOR RESPONSE "We have confirmed the problem with CSS 6.31 which is included in both F-Secure Anti-Virus for Microsoft Exchange 6.01 and 6.21 and also in F-Secure Internet Gatekeeper 6.32. The problem exists also in the older version, CSS 6.30 which was included in F-Secure Anti-Virus for Microsoft Exchange 6.20 and F-Secure Internet Gatekeeper 6.30/6.31. However, the latest released version of the products: F-Secure Anti-virus for Microsoft Exchange 6.30 and F-Secure Internet Gatekeeper 6.40 which include F-Secure Content Scanner Server 6.40, are not affected by this anymore. The reason for the problem was incorrect exception handling. In the new version of the product the situation [is] fixed with new design and added validity checks. We do not consider this a major issue because the products are installed in the company internal network or at least in DMZ so the port should not be exposed to the public Internet." A hotfix is available from: http://www.f-secure.com/security/fsc-2004-2.shtml VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the names CAN-2004-0830 to these issues. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 08/25/2004 Initial vendor notification 08/25/2004 iDEFENSE clients notified 08/25/2004 Initial vendor response 09/09/2004 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp X. LEGAL NOTICES Copyright (c) 2004 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBQUEaxSh9+71yA2DNAQKzIAP+M5dr7s6b5ElxSNhLDQTYzKcCvZTWwlXb SnwjH8Ur+oYr/a37VTMvuqX/g+i/yv82bDLtp7QQ8CaDuTw9ALpDX8sgfbRTnXaf RZqkyHkUnP++EDCPsAj0B2dlhnTSkhsjbu4I7A4XLb0iYwBOEA+SrwevsobQVUQG GZaOFAyp2/g= =w5MD -----END PGP SIGNATURE-----