-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                       ESB-2007.0462 -- [Win][Linux]
   F-Secure Security Bulletin FSC-2007-5: Scan bypass vulnerabilities in
            handling of specially crafted LHA and RAR archives
                               25 June 2007

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              F-Secure's Anti-Virus products for Microsoft Windows
                        and Linux
Publisher:            F-Secure
Operating System:     Windows
                      Linux variants
Impact:               Reduced Security
Access:               Remote/Unauthenticated
CVE Names:            CVE-2007-3300

Original Bulletin:    http://www.f-secure.com/security/fsc-2007-5.shtml

- --------------------------BEGIN INCLUDED TEXT--------------------

F-Secure Security Bulletin FSC-2007-5
Scan bypass vulnerabilities in handling of specially crafted LHA and RAR
archives

Date issued  2007-06-19
Last updated 2007-06-18
Risk factor  Medium (Low/Medium/High/Critical)

Brief description
Several F-Secure products are affected by archive file scan bypass
vulnerabilities:
 - user decompressable, crafted RAR archives cannot be parsed (opened)
by Anti-Virus
 - user decompressable, crafted LHA archives cannot be parsed (opened)
by Anti-Virus

Software
F-Secure's Anti-Virus products for Microsoft Windows and Linux

Affected versions
F-Secure Anti-Virus for Workstations version 7.00 and earlier
F-Secure Anti-Virus for Windows Servers version 7.00 and earlier
F-Secure Anti-Virus for Citrix Servers version 5.52
F-Secure Anti-Virus for MIMEsweeper version 5.61 and earlier
F-Secure Client Security version 7.00 and earlier
F-Secure Anti-Virus for MS Exchange version 7.00 and earlier
F-Secure Internet Gatekeeper version 6.61 and earlier
F-Secure Internet Security 2005, 2006 and 2007
F-Secure Anti-Virus 2005, 2006 and 2007
Solutions based on F-Secure Protection Service for Consumers version
7.00 and earlier
F-Secure Anti-Virus for Linux Servers version 4.65 and earlier
F-Secure Anti-Virus for Linux Gateways version 4.65 and earlier
F-Secure Linux Client Security 5.52 and earlier
F-Secure Linux Server Security 5.52 and earlier
F-Secure Internet Gatekeeper for Linux 2.16 and earlier

Affected platforms
All platforms supported by the affected products

Bulletin location
http://www.f-secure.com/security/fsc-2007-5.shtml

Issue:

An attacker may create a specially crafted LHA or RAR archive file
with manipulated archive file header fields and malicious contents,
which then goes through Anti-Virus scanning without interception.


The manipulated file header fields basically break the archive file
from Anti-Virus point of view, but certain decompression programs are
still capable of opening archive for the user, in some cases with
errors displayed.
______________________________________________________________________

Workstation products:

F-Secure Internet Security 2005, 2006 and 2007
F-Secure Anti-Virus 2005, 2006 and 2007
Solutions based on F-Secure Protection Service for Consumers version
7.00 and earlier
F-Secure Client Security version 7.00 and earlier
F-Secure Anti-Virus for Workstations 7.00 and earlier
F-Secure Linux Client Security 5.52 and earlier

Risk Factor: Low

These products contain the described vulnerabilities, but do not scan
inside archives by default, except by their possible e-mail scanning
component. Archive contents that evade the detection in initial
scanning, will be intercepted at the time of decompression.

Recent antivirus database updates have automatically fixed both of the
mentioned issues, without any intervention needed by the
user/administrator.
______________________________________________________________________

Server products:

F-Secure Anti-Virus for Windows Servers 7.00 and earlier
F-Secure Anti-Virus for Citrix Servers version 5.52 and earlier
F-Secure Linux Server Security 5.52 and earlier
F-Secure Anti-Virus for Linux Servers version 4.65 and earlier

Risk Factor: Low

These products contain the described vulnerabilities, but do not scan
inside archives by default.

Recent antivirus database updates have automatically fixed both of the
mentioned issues, without any intervention needed by the
user/administrator.
______________________________________________________________________

Gateway products:

F-Secure Internet Gatekeeper 6.61 and earlier
F-Secure Anti-Virus for MS Exchange version 7.00 and earlier
F-Secure Anti-Virus for Linux Gateways version 4.65 and earlier
F-Secure Internet Gatekeeper for Linux 2.16

Risk Factor: High


These gateway products typically scan inside archives, thus are
affected by the vulnerability. However antivirus software on the
receiving clients intercept the malicious contents at the point of
archive decompression by the user.


Recent antivirus database updates have automatically fixed both of the
mentioned issues, without any intervention needed by the
user/administrator.
______________________________________________________________________

Gateways products:

F-Secure Anti-Virus for MIMEsweeper 5.61 and earlier

Risk Factor: Medium

F-Secure Anti-Virus for MIMEsweeper does not handle archives. Archives
are handled by MIMEsweeper and this vulnerability does not affect the
reliability of such systems. The vulnerability does however affect the
virus scanner's ability to detect malware that is stored in archives
on the disk of the computer that runs MIMEsweeper. The impact of this
is however minimal in the default configuration.

Recent antivirus database updates have automatically fixed both of the
mentioned issues, without any intervention needed by the
user/administrator.
______________________________________________________________________

Mitigating Factors:
  * Exploitation of the vulnerabilities requires specially crafted
    archives.
  * Vulnerability in archive scanning concerns only those products
    that scan inside archives by default (gateway solutions).
  * These issues have been fixed automatically in F-Secure database
    updates. This applies all the affected product versions with the
    exception of deployments not using automatic or automated scripts
    for the updates.

Patch availability:

The following versions have been "Fixed automatically in database 
updates":

Product                                      Versions 
F-Secure Internet Security                   2005 - 2007
F-Secure Anti-Virus                          2005 - 2007
F-Secure Protection Service for Consumers    5.00 - 7.00
F-Secure Anti-Virus for Workstations         5.44 - 7.00
F-Secure Client Security                     6.00 - 7.00
F-Secure Anti-Virus for Windows Servers      5.50 - 7.00
F-Secure Anti-Virus for Citrix Servers       5.50 - 5.52
F-Secure Anti-Virus for MIMEsweeper          5.61
F-Secure Anti-Virus for MS Exchange          6.01
F-Secure Anti-Virus for MS Exchange          6.61 - 7.00
F-Secure Internet Gatekeeper                 6.60 - 6.61
F-Secure Anti-Virus for Linux Servers        4.64 - 4.65
F-Secure Anti-Virus for Linux Gateways       4.64 - 4.65
F-Secure Linux Client Security               5.30 - 5.52
F-Secure Linux Server Security               5.30 - 5.52
F-Secure Internet Gatekeeper for Linux       2.16

Credits: F-Secure wants to thank Thierry Zoller in n.runs AG
(http://www.nruns.com/) for reporting these issues.

Revision History:

FSC-2007-5 - 2007-06-15


Contact Information:
Support: http://support.f-secure.com/enu/home/contactus/
Security: http://www.f-secure.com/security/
URL: http://www.f-secure.com/

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBRn80OCh9+71yA2DNAQJgKwP/bx4gigBIDu+sFCx+qPon7+qHzbOe/faK
SVxnVzJpyHqrcKzjBSeV885Y4yz5+82k8TN6smw+u9jPixhhTa+Q+C//rwuF9DEe
eFzMwZ3g3ywgOg/3pHvTYreP5Bn6XqjubCuP+1+MIWiprNwaM2UcOzE+0LNG5vdd
B33HZ/QCO3k=
=+YHi
-----END PGP SIGNATURE-----