Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2007.0462 -- [Win][Linux] F-Secure Security Bulletin FSC-2007-5: Scan bypass vulnerabilities in handling of specially crafted LHA and RAR archives 25 June 2007 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: F-Secure's Anti-Virus products for Microsoft Windows and Linux Publisher: F-Secure Operating System: Windows Linux variants Impact: Reduced Security Access: Remote/Unauthenticated CVE Names: CVE-2007-3300 Original Bulletin: http://www.f-secure.com/security/fsc-2007-5.shtml - --------------------------BEGIN INCLUDED TEXT-------------------- F-Secure Security Bulletin FSC-2007-5 Scan bypass vulnerabilities in handling of specially crafted LHA and RAR archives Date issued 2007-06-19 Last updated 2007-06-18 Risk factor Medium (Low/Medium/High/Critical) Brief description Several F-Secure products are affected by archive file scan bypass vulnerabilities: - user decompressable, crafted RAR archives cannot be parsed (opened) by Anti-Virus - user decompressable, crafted LHA archives cannot be parsed (opened) by Anti-Virus Software F-Secure's Anti-Virus products for Microsoft Windows and Linux Affected versions F-Secure Anti-Virus for Workstations version 7.00 and earlier F-Secure Anti-Virus for Windows Servers version 7.00 and earlier F-Secure Anti-Virus for Citrix Servers version 5.52 F-Secure Anti-Virus for MIMEsweeper version 5.61 and earlier F-Secure Client Security version 7.00 and earlier F-Secure Anti-Virus for MS Exchange version 7.00 and earlier F-Secure Internet Gatekeeper version 6.61 and earlier F-Secure Internet Security 2005, 2006 and 2007 F-Secure Anti-Virus 2005, 2006 and 2007 Solutions based on F-Secure Protection Service for Consumers version 7.00 and earlier F-Secure Anti-Virus for Linux Servers version 4.65 and earlier F-Secure Anti-Virus for Linux Gateways version 4.65 and earlier F-Secure Linux Client Security 5.52 and earlier F-Secure Linux Server Security 5.52 and earlier F-Secure Internet Gatekeeper for Linux 2.16 and earlier Affected platforms All platforms supported by the affected products Bulletin location http://www.f-secure.com/security/fsc-2007-5.shtml Issue: An attacker may create a specially crafted LHA or RAR archive file with manipulated archive file header fields and malicious contents, which then goes through Anti-Virus scanning without interception. The manipulated file header fields basically break the archive file from Anti-Virus point of view, but certain decompression programs are still capable of opening archive for the user, in some cases with errors displayed. ______________________________________________________________________ Workstation products: F-Secure Internet Security 2005, 2006 and 2007 F-Secure Anti-Virus 2005, 2006 and 2007 Solutions based on F-Secure Protection Service for Consumers version 7.00 and earlier F-Secure Client Security version 7.00 and earlier F-Secure Anti-Virus for Workstations 7.00 and earlier F-Secure Linux Client Security 5.52 and earlier Risk Factor: Low These products contain the described vulnerabilities, but do not scan inside archives by default, except by their possible e-mail scanning component. Archive contents that evade the detection in initial scanning, will be intercepted at the time of decompression. Recent antivirus database updates have automatically fixed both of the mentioned issues, without any intervention needed by the user/administrator. ______________________________________________________________________ Server products: F-Secure Anti-Virus for Windows Servers 7.00 and earlier F-Secure Anti-Virus for Citrix Servers version 5.52 and earlier F-Secure Linux Server Security 5.52 and earlier F-Secure Anti-Virus for Linux Servers version 4.65 and earlier Risk Factor: Low These products contain the described vulnerabilities, but do not scan inside archives by default. Recent antivirus database updates have automatically fixed both of the mentioned issues, without any intervention needed by the user/administrator. ______________________________________________________________________ Gateway products: F-Secure Internet Gatekeeper 6.61 and earlier F-Secure Anti-Virus for MS Exchange version 7.00 and earlier F-Secure Anti-Virus for Linux Gateways version 4.65 and earlier F-Secure Internet Gatekeeper for Linux 2.16 Risk Factor: High These gateway products typically scan inside archives, thus are affected by the vulnerability. However antivirus software on the receiving clients intercept the malicious contents at the point of archive decompression by the user. Recent antivirus database updates have automatically fixed both of the mentioned issues, without any intervention needed by the user/administrator. ______________________________________________________________________ Gateways products: F-Secure Anti-Virus for MIMEsweeper 5.61 and earlier Risk Factor: Medium F-Secure Anti-Virus for MIMEsweeper does not handle archives. Archives are handled by MIMEsweeper and this vulnerability does not affect the reliability of such systems. The vulnerability does however affect the virus scanner's ability to detect malware that is stored in archives on the disk of the computer that runs MIMEsweeper. The impact of this is however minimal in the default configuration. Recent antivirus database updates have automatically fixed both of the mentioned issues, without any intervention needed by the user/administrator. ______________________________________________________________________ Mitigating Factors: * Exploitation of the vulnerabilities requires specially crafted archives. * Vulnerability in archive scanning concerns only those products that scan inside archives by default (gateway solutions). * These issues have been fixed automatically in F-Secure database updates. This applies all the affected product versions with the exception of deployments not using automatic or automated scripts for the updates. Patch availability: The following versions have been "Fixed automatically in database updates": Product Versions F-Secure Internet Security 2005 - 2007 F-Secure Anti-Virus 2005 - 2007 F-Secure Protection Service for Consumers 5.00 - 7.00 F-Secure Anti-Virus for Workstations 5.44 - 7.00 F-Secure Client Security 6.00 - 7.00 F-Secure Anti-Virus for Windows Servers 5.50 - 7.00 F-Secure Anti-Virus for Citrix Servers 5.50 - 5.52 F-Secure Anti-Virus for MIMEsweeper 5.61 F-Secure Anti-Virus for MS Exchange 6.01 F-Secure Anti-Virus for MS Exchange 6.61 - 7.00 F-Secure Internet Gatekeeper 6.60 - 6.61 F-Secure Anti-Virus for Linux Servers 4.64 - 4.65 F-Secure Anti-Virus for Linux Gateways 4.64 - 4.65 F-Secure Linux Client Security 5.30 - 5.52 F-Secure Linux Server Security 5.30 - 5.52 F-Secure Internet Gatekeeper for Linux 2.16 Credits: F-Secure wants to thank Thierry Zoller in n.runs AG (http://www.nruns.com/) for reporting these issues. Revision History: FSC-2007-5 - 2007-06-15 Contact Information: Support: http://support.f-secure.com/enu/home/contactus/ Security: http://www.f-secure.com/security/ URL: http://www.f-secure.com/ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBRn80OCh9+71yA2DNAQJgKwP/bx4gigBIDu+sFCx+qPon7+qHzbOe/faK SVxnVzJpyHqrcKzjBSeV885Y4yz5+82k8TN6smw+u9jPixhhTa+Q+C//rwuF9DEe eFzMwZ3g3ywgOg/3pHvTYreP5Bn6XqjubCuP+1+MIWiprNwaM2UcOzE+0LNG5vdd B33HZ/QCO3k= =+YHi -----END PGP SIGNATURE-----