===================================================================== CERT-Renater Note d'Information No. 2008/VULN041 _____________________________________________________________________ DATE : 14/02/2007 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running F-Secure Anti-Virus, F-Secure Internet Security, F-Secure Anti-Virus Client Security, F-Secure Internet Gatekeeper, F-Secure Messaging Security Gateway, F-Secure Protection Service. ====================================================================== F-Secure Security Bulletin FSC-2008-1/FSC-2007-7 Vulnerabilities in scanning of specially crafted CAB and RAR archives Date issued: 2008-02-13 Last updated: 2008-02-13 Risk factor: High (Low/Medium/High/Critical) Brief description: Specially crafted CAB and RAR archives can bypass antivirus scanning. Affected platforms: All supported platforms Clients: Products: * F-Secure Internet Security 2008 * F-Secure Internet Security 2007 Second Edition * F-Secure Internet Security 2007 * F-Secure Internet Security 2006 * F-Secure Anti-Virus 2008 * F-Secure Anti-Virus 2007 Second Edition * F-Secure Anti-Virus 2007 * F-Secure Anti-Virus 2006 * F-Secure Anti-Virus Client Security 7.10 * F-Secure Anti-Virus Client Security 7.01 * F-Secure Anti-Virus Client Security 6.04 * F-Secure Anti-Virus Client Security 6.03 * F-Secure Anti-Virus for Workstations 7.10 * F-Secure Anti-Virus for Workstations 7.00 * F-Secure Anti-Virus for Workstations 5.44 * F-Secure Anti-Virus Linux Client Security 5.53 * F-Secure Anti-Virus Linux Client Security 5.52 * F-Secure Anti-Virus for Linux 4.65 * Solutions based on F-Secure Protection Service for Consumers version 7.00 and earlier * Solutions based on F-Secure Protection Service for Business version 3.00 and earlier Risk Factor: Medium User is able to move infected archives to and from client, but client does not get infected. _________________________________________________________________ Mitigating Factors: * Exploitation of these vulnerabilities requires specially crafted archives * The CAB issue has been fixed automatically in F-Secure database updates, while fixing the RAR archive scanning requires installing the hotfix below. * Client software catches hostile content after CAB/RAR container is opened thus making infection impossible _________________________________________________________________ Servers: Products: * F-Secure Anti-Virus for Windows Servers 7.00 * F-Secure Anti-Virus for Windows Servers 5.52 * F-Secure Anti-Virus for Citrix Servers 5.52 * F-Secure Anti-Virus Linux Server Security 5.53 * F-Secure Anti-Virus Linux Server Security 5.52 Risk Factor: Medium User is able to move infected content to and from servers _________________________________________________________________ Mitigating Factors: * Exploitation of these vulnerabilities requires specially crafted archives * The CAB issue has been fixed automatically in F-Secure database updates, while fixing the RAR archive scanning requires installing the hotfix below. * Server software does not scan by default CAB/RAR packed content. When the container is opened the exposed content is scanned thus making infection impossible. _________________________________________________________________ Gateways: Products: * F-Secure Anti-Virus for Microsoft Exchange 7.0 * F-Secure Anti-Virus for Microsoft Exchange 6.62 * F-Secure Internet Gatekeeper 6.61, Windows * F-Secure Internet Gatekeeper for Linux 2.16 * F-Secure Anti-Virus for MIMEsweeper 5.61 * F-Secure Messaging Security Gateway 4.0.7 and earlier Risk Factor: High The gateway passes archives unscanned _________________________________________________________________ Mitigating Factors: * Exploitation of these vulnerabilities requires specially crafted archives * The CAB issue has been fixed automatically in F-Secure database updates, while fixing the RAR archive scanning requires installing the hotfix below. _________________________________________________________________ Bulletin location: http://www.f-secure.com/security/fsc-2008-1.shtml Patch availability: * Product Versions Hotfix ID Download * F-Secure Anti-Virus Client Security 6.03 6.04 fsavwk604-01 ftp://ftp.f-secure.com/support/hotfix/fsavcs/fsavwk604-01-signed.fsfix * F-Secure Anti-Virus Client Security 7.00-7.10 fsav741-02 ftp://ftp.f-secure.com/support/hotfix/fsavcs/fsav741-02-signed.fsfix * F-Secure Anti-Virus for Workstations 5.44 fsavwk572-01 ftp://ftp.f-secure.com/support/hotfix/fsav/fsavwk572-01-signed.fsfix * F-Secure Anti-Virus for Workstations 7.00-7.10 fsav741-02 ftp://ftp.f-secure.com/support/hotfix/fsav/fsav741-02-signed.fsfix * F-Secure Anti-Virus for Windows Servers 5.52 fsavsr552-14 ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsavsr552-14-signed.fsfix * F-Secure Anti-Virus for Windows Servers 7.00 fsav720-03 ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsav720-03-signed.fsfix * F-Secure Anti-Virus for Citrix Servers 5.52 fsavsr552-14 ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsavsr552-14-signed.fsfix * F-Secure Anti-Virus Linux Client Security 5.52 New product build#7020 http://www.f-secure.com/webclub/fscsl.html * F-Secure Anti-Virus Linux Client Security 5.53 New product build#7020 http://www.f-secure.com/webclub/fscsl.html * F-Secure Anti-Virus Linux Server Security 5.52 New product build#7020 http://www.f-secure.com/webclub/fsssl.html * F-Secure Anti-Virus Linux Server Security 5.53 New product build#7020 http://www.f-secure.com/webclub/fsssl.html * F-Secure Anti-Virus for Linux Gateways 4.65 New product build#7020 http://www.f-secure.com/webclub/fsavgwl.html * F-Secure Anti-Virus for Linux Servers 4.65 New product build#7020 http://www.f-secure.com/webclub/fsavsrvl.html * F-Secure Anti-Virus for Microsoft Exchange 6.62 fsavmse662-04 ftp://ftp.f-secure.com/support/hotfix/fsav-mse/fsavmse662-04.zip * F-Secure Anti-Virus for Microsoft Exchange 7.00 fsavmse700-01 ftp://ftp.f-secure.com/support/hotfix/fsav-mse/fsavmse700-01.zip * F-Secure Internet Gatekeeper 6.61 fsigk661-01 ftp://ftp.f-secure.com/support/hotfix/fsig/fsigk661-01.zip * F-Secure Internet Gatekeeper for Linux 2.16 New product build#533 http://www.f-secure.com/webclub/fsigkl.html * F-Secure Anti-Virus for MIMEsweeper 5.61 fsavsr552-14 ftp://ftp.f-secure.com/support/hotfix/fsav-msw/fsavsr552-14-signed.fsfix * F-Secure Messaging Security Gateway 3.x Unsupported version. Please upgrade to the latest version. * F-Secure Messaging Security Gateway 4.0.6 4.0.7 Packages will be available in the update channel, and installed automatically. * Protection Services For Consumers 5 and 6 Packages will be available in the update channel, and installed automatically. * Protection Services For Businesses 3 Packages will be available in the update channel, and installed automatically. * F-Secure Internet Security 2006, 2007, 2007 Second Edition, 2008 Packages will be available in the update channel, and installed automatically. Credits: F-Secure wants to thank Mr Thierry Zoller at n.runs AG for reporting these issues. Revision History: FSC-2008-02-13 Contact Information: Support: http://support.f-secure.com/enu/home/contactus/ Security: http://www.f-secure.com/security/ URL: http://www.f-secure.com/ ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================