The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of F-Secure Anti-Virus

computer vulnerability note 26299

F-Secure: memory corruption via Windows Endpoint Protection

Synthesis of the vulnerability

An attacker can generate a memory corruption via Windows Endpoint Protection of F-Secure, in order to trigger a denial of service, and possibly to run code.
Impacted products: F-Secure AV.
Severity: 3/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, denial of service on server, denial of service on service, denial of service on client.
Provenance: document.
Creation date: 01/06/2018.
Identifiers: CERTFR-2018-AVI-269, FSC-2018-2, VIGILANCE-VUL-26299.

Description of the vulnerability

An attacker can generate a memory corruption via Windows Endpoint Protection of F-Secure, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2017-5565 CVE-2017-5566 CVE-2017-5567

Antivirus: privilege escalation via Microsoft Application Verifier

Synthesis of the vulnerability

An attacker can bypass restrictions via Microsoft Application Verifier of Antivirus, in order to escalate his privileges.
Impacted products: Avast AV, NOD32 Antivirus, F-Secure AV, AVG AntiVirus, McAfee MOVE AntiVirus, VirusScan, Norton Antivirus, Norton Internet Security, Panda AV, Panda Internet Security, TrendMicro Internet Security, OfficeScan.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 5.
Creation date: 22/03/2017.
Identifiers: 1116957, CVE-2017-5565, CVE-2017-5566, CVE-2017-5567, CVE-2017-6186, CVE-2017-6417, VIGILANCE-VUL-22211.

Description of the vulnerability

An attacker can bypass restrictions via Microsoft Application Verifier of Antivirus, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2017-6466

F-Secure AV: Man-in-the-Middle

Synthesis of the vulnerability

An attacker can act as a Man-in-the-Middle on F-Secure AV, in order to read or write data in the session.
Impacted products: F-Secure AV.
Severity: 2/4.
Consequences: data reading, data creation/edition.
Provenance: internet server.
Number of vulnerabilities in this bulletin: 2.
Creation date: 10/03/2017.
Identifiers: CVE-2016-9892-ERROR, CVE-2017-6466, VIGILANCE-VUL-22075.

Description of the vulnerability

An attacker can act as a Man-in-the-Middle on F-Secure AV, in order to read or write data in the session.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin 17793

F-Secure Anti-Virus: privilege escalation via FSGK.SYS

Synthesis of the vulnerability

A local attacker can use the FSGK.SYS driver of F-Secure Anti-Virus, in order to escalate his privileges.
Impacted products: F-Secure AV.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user account.
Creation date: 02/09/2015.
Identifiers: FSC-2015-3, VIGILANCE-VUL-17793.

Description of the vulnerability

The F-Secure Anti-Virus product installs the Gatekeeper (FSGK.SYS) driver.

However, this driver does not use the FILE_DEVICE_SECURE_OPEN flag, so a local attacker can manipulate the kernel memory allocation.

A local attacker can therefore use the FSGK.SYS driver of F-Secure Anti-Virus, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2014-3566

SSL 3.0: decrypting session, POODLE

Synthesis of the vulnerability

An attacker, located as a Man-in-the-Middle, can decrypt a SSL 3.0 session, in order to obtain sensitive information.
Impacted products: SES, SNS, Apache httpd, Arkoon FAST360, ArubaOS, Asterisk Open Source, BES, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, GAiA, CheckPoint IP Appliance, IPSO, SecurePlatform, CheckPoint Security Appliance, CheckPoint Security Gateway, Cisco ASR, Cisco ACE, ASA, AsyncOS, Cisco CSS, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, IronPort Email, Nexus by Cisco, NX-OS, Prime Infrastructure, Cisco PRSM, Cisco Router, WebNS, Clearswift Email Gateway, Clearswift Web Gateway, CUPS, Debian, Black Diamond, ExtremeXOS, Summit, BIG-IP Hardware, TMOS, Fedora, FortiGate, FortiGate Virtual Appliance, FortiManager, FortiManager Virtual Appliance, FortiOS, FreeBSD, F-Secure AV, hMailServer, HPE BSM, HP Data Protector, HPE NNMi, HP Operations, ProCurve Switch, SiteScope, HP Switch, TippingPoint IPS, HP-UX, AIX, Domino, Notes, Security Directory Server, SPSS Data Collection, Tivoli System Automation, Tivoli Workload Scheduler, WebSphere AS Traditional, WebSphere MQ, IVE OS, Juniper J-Series, Junos OS, Junos Space, Junos Space Network Management Platform, MAG Series by Juniper, NSM Central Manager, NSMXpress, Juniper SA, McAfee Email and Web Security, McAfee Email Gateway, ePO, VirusScan, McAfee Web Gateway, IE, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 2012, Windows 7, Windows 8, Windows (platform) ~ not comprehensive, Windows RT, Windows Vista, NETASQ, NetBSD, NetScreen Firewall, ScreenOS, nginx, Nodejs Core, OpenSSL, openSUSE, openSUSE Leap, Oracle DB, Oracle Fusion Middleware, Oracle Identity Management, Oracle OIT, Solaris, Tuxedo, WebLogic, Palo Alto Firewall PA***, PAN-OS, Polycom CMA, HDX, RealPresence Collaboration Server, RealPresence Distributed Media Application, Polycom VBP, Postfix, SSL protocol, Puppet, RHEL, JBoss EAP by Red Hat, RSA Authentication Manager, ROS, ROX, RuggedSwitch, Slackware, Splunk Enterprise, stunnel, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Ubuntu, Unix (platform) ~ not comprehensive, ESXi, vCenter Server, VMware vSphere, VMware vSphere Hypervisor, WinSCP.
Severity: 3/4.
Consequences: data reading, data creation/edition.
Provenance: internet client.
Creation date: 15/10/2014.
Identifiers: 10923, 1589583, 1595265, 1653364, 1657963, 1663874, 1687167, 1687173, 1687433, 1687604, 1687611, 1690160, 1690185, 1690342, 1691140, 1692551, 1695392, 1696383, 1699051, 1700706, 2977292, 3009008, 7036319, aid-10142014, AST-2014-011, bulletinapr2015, bulletinjan2015, bulletinjan2016, bulletinjul2015, bulletinjul2016, bulletinoct2015, c04486577, c04487990, c04492722, c04497114, c04506802, c04510230, c04567918, c04616259, c04626982, c04676133, c04776510, CERTFR-2014-ALE-007, CERTFR-2014-AVI-454, CERTFR-2014-AVI-509, CERTFR-2015-AVI-169, CERTFR-2016-AVI-303, cisco-sa-20141015-poodle, cpujul2017, CTX216642, CVE-2014-3566, DSA-3053-1, DSA-3253-1, DSA-3489-1, ESA-2014-178, ESA-2015-098, ESXi500-201502001, ESXi500-201502101-SG, ESXi510-201503001, ESXi510-201503001-SG, ESXi510-201503101-SG, ESXi550-201501001, ESXi550-201501101-SG, FEDORA-2014-12989, FEDORA-2014-12991, FEDORA-2014-13012, FEDORA-2014-13017, FEDORA-2014-13040, FEDORA-2014-13069, FEDORA-2014-13070, FEDORA-2014-13444, FEDORA-2014-13451, FEDORA-2014-13764, FEDORA-2014-13777, FEDORA-2014-13781, FEDORA-2014-13794, FEDORA-2014-14234, FEDORA-2014-14237, FEDORA-2014-15379, FEDORA-2014-15390, FEDORA-2014-15411, FEDORA-2014-17576, FEDORA-2014-17587, FEDORA-2015-9090, FEDORA-2015-9110, FreeBSD-SA-14:23.openssl, FSC-2014-8, HPSBGN03256, HPSBGN03305, HPSBGN03332, HPSBHF03156, HPSBHF03300, HPSBMU03152, HPSBMU03184, HPSBMU03213, HPSBMU03416, HPSBUX03162, HPSBUX03194, JSA10656, MDVSA-2014:203, MDVSA-2014:218, MDVSA-2015:062, NetBSD-SA2014-015, nettcp_advisory, openSUSE-SU-2014:1331-1, openSUSE-SU-2014:1384-1, openSUSE-SU-2014:1395-1, openSUSE-SU-2014:1426-1, openSUSE-SU-2016:0640-1, openSUSE-SU-2016:1586-1, openSUSE-SU-2017:0980-1, PAN-SA-2014-0005, POODLE, RHSA-2014:1652-01, RHSA-2014:1653-01, RHSA-2014:1692-01, RHSA-2014:1920-01, RHSA-2014:1948-01, RHSA-2015:0010-01, RHSA-2015:0011-01, RHSA-2015:0012-01, RHSA-2015:1545-01, RHSA-2015:1546-01, SA83, SB10090, SB10104, sk102989, SOL15702, SP-CAAANKE, SP-CAAANST, SPL-91947, SPL-91948, SSA:2014-288-01, SSA-396873, SSA-472334, SSRT101767, STORM-2014-02-FR, SUSE-SU-2014:1357-1, SUSE-SU-2014:1361-1, SUSE-SU-2014:1386-1, SUSE-SU-2014:1387-1, SUSE-SU-2014:1387-2, SUSE-SU-2014:1409-1, SUSE-SU-2015:0010-1, SUSE-SU-2016:1457-1, SUSE-SU-2016:1459-1, T1021439, TSB16540, USN-2839-1, VIGILANCE-VUL-15485, VMSA-2015-0001, VMSA-2015-0001.1, VMSA-2015-0001.2, VN-2014-003, VU#577193.

Description of the vulnerability

An SSL/TLS session can be established using several protocols:
 - SSL 2.0 (obsolete)
 - SSL 3.0
 - TLS 1.0
 - TLS 1.1
 - TLS 1.2

An attacker can downgrade the version to SSLv3. However, with SSL 3.0, an attacker can change the padding position with a CBC encryption, in order to progressively guess clear text fragments.

This vulnerability is named POODLE (Padding Oracle On Downgraded Legacy Encryption).

An attacker, located as a Man-in-the-Middle, can therefore decrypt a SSL 3.0 session, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2013-7369

F-Secure Anti-Virus: SQL execution via an ActiveX

Synthesis of the vulnerability

An attacker can invite the victim to display a malicious web site with Internet Explorer, to load an ActiveX installed by F-Secure Anti-Virus, in order to execute SQL queries on ODBC drivers.
Impacted products: F-Secure AV.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights, data reading, data creation/edition, data deletion.
Provenance: document.
Creation date: 25/04/2013.
Identifiers: BID-59443, CERTA-2013-AVI-273, CVE-2013-7369, FSC-2013-1, VIGILANCE-VUL-12716.

Description of the vulnerability

The F-Secure Anti-Virus product installs an ActiveX on the system. It connects to the ODBC driver, and transmits SQL queries.

However, it can be instantiated from Internet Explorer.

An attacker can therefore invite the victim to display a malicious web site with Internet Explorer, to load an ActiveX installed by F-Secure Anti-Virus, in order to execute SQL queries on ODBC drivers.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2012-1429 CVE-2012-1430 CVE-2012-1431

F-Secure Anti-Virus: bypassing via ELF, EXE, RAR, TAR

Synthesis of the vulnerability

An attacker can create an archive or a program containing a virus, which is not detected by F-Secure Anti-Virus.
Impacted products: F-Secure AV.
Severity: 2/4.
Consequences: data flow.
Provenance: document.
Number of vulnerabilities in this bulletin: 8.
Creation date: 21/03/2012.
Identifiers: BID-52581, BID-52589, BID-52591, BID-52598, BID-52612, BID-52614, BID-52623, BID-52626, CVE-2012-1429, CVE-2012-1430, CVE-2012-1431, CVE-2012-1442, CVE-2012-1443, CVE-2012-1459, CVE-2012-1461, CVE-2012-1463, VIGILANCE-VUL-11477.

Description of the vulnerability

Tools extracting archives (RAR, TAR, etc.) accept to extract archives which are slightly malformed. Systems also accept to execute programs (ELF, EXE) which are slightly malformed. However, F-Secure Anti-Virus does not detect viruses contained in these archives/programs.

An ELF program containing "ustar" at offset 257 bypasses the detection. [severity:2/4; BID-52581, CVE-2012-1429]

An ELF program containing "\19\04\00\10" at offset 8 bypasses the detection. [severity:2/4; BID-52589, CVE-2012-1430]

An ELF program containing "\4a\46\49\46" at offset 6 bypasses the detection. [severity:2/4; BID-52591, CVE-2012-1431]

An EXE program containing a large "class" field bypasses the detection. [severity:2/4; BID-52598, CVE-2012-1442]

A RAR archive containing "MZ" as its first 2 bytes bypasses the detection. [severity:1/4; BID-52612, CVE-2012-1443]

A TAR archive with a header containing a large value bypasses the detection. [severity:1/4; BID-52623, CVE-2012-1459]

A TAR+GZ archive containing two streams bypasses the detection. [severity:1/4; BID-52626, CVE-2012-1461]

An ELF program with a changed 5th byte bypasses the detection. [severity:2/4; BID-52614, CVE-2012-1463]

An attacker can therefore create an archive containing a virus which is not detected by the antivirus, but which is extracted by extraction tools. The virus is then detected once it has been extracted on victim's computer. An attacker can also create a program, containing a virus which is not detected by the antivirus, but which can be run by the system.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin 10948

F-Secure Anti-Virus: code execution via fsresh.dll

Synthesis of the vulnerability

An attacker can invite the victim to display a malicious HTML document calling the F-Secure Gadget Resource Handler ActiveX, in order to execute code on his computer.
Impacted products: F-Secure AV.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 24/08/2011.
Identifiers: BID-49293, FSC-2011-3, VIGILANCE-VUL-10948.

Description of the vulnerability

F-Secure products install the F-Secure Gadget Resource Handler ActiveX (fsresh.dll).

However, the initialize() method of this ActiveX does not check the size of its second parameter. An attacker can thus use a long parameter, in order to corrupt the memory.

An attacker can therefore invite the victim to display a malicious HTML document calling the F-Secure Gadget Resource Handler ActiveX, in order to execute code on his computer.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note 10219

F-Secure AV: code execution via DLL Preload

Synthesis of the vulnerability

An attacker can use a malicious DLL in order to execute code in F-Secure Anti-Virus.
Impacted products: F-Secure AV.
Severity: 2/4.
Consequences: user access/rights.
Provenance: intranet server.
Creation date: 15/12/2010.
Identifiers: ASPR #2011-01-11-1, BID-45405, FSC-2010-4, VIGILANCE-VUL-10219.

Description of the vulnerability

The F-Secure Anti-Virus application loads the wintab32.dll library when it starts.

However, the library is loaded insecurely. An attacker can thus use the VIGILANCE-VUL-9879 vulnerability to execute code.

An attacker can therefore invite the victim to open a file with F-Secure Anti-Virus from a network share containing a malicious DLL, in order to execute code in the context of F-Secure Anti-Virus.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2010-5151 CVE-2010-5152 CVE-2010-5154

Antivirus: bypassing SSDT Hooking

Synthesis of the vulnerability

When an antivirus redirects the SSDT to detect viruses, a local attacker can use an atomicity error, in order to bypass this protection.
Impacted products: Avast AV, CA Antivirus, F-Secure AV, AVG AntiVirus, Kaspersky AV, VirusScan, Norton Antivirus, Norton Internet Security, Panda AV, Panda Internet Security, Symantec AV.
Severity: 2/4.
Consequences: administrator access/rights, data flow.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 13.
Creation date: 10/05/2010.
Revision date: 11/05/2010.
Identifiers: CVE-2010-5151, CVE-2010-5152, CVE-2010-5154, CVE-2010-5156, CVE-2010-5161, CVE-2010-5163, CVE-2010-5166, CVE-2010-5167, CVE-2010-5168, CVE-2010-5171, CVE-2010-5172, CVE-2010-5177, CVE-2010-5179, VIGILANCE-VUL-9633.

Description of the vulnerability

The SSDT table (System Service Descriptor Table) contains references of system calls:
 - NtCreateKey : create a key in registry
 - NtCreateThread : create a thread
 - NtDeleteFile : delete a file
 - etc.

Antiviruses redirect entries of this table to verification functions. Several implementations check parameters, and then call the origin system call. However, between these two operations, a local attacker can change parameters of the system call. A attacker can therefore create a program using legitimate parameters, and then change them just before the system call.

When an antivirus redirects the SSDT to detect viruses, a local attacker can therefore use an atomicity error, in order to bypass this protection.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about F-Secure Anti-Virus: