__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN F-Secure ZIP and RAR-archive handling [F-Secure Security Bulletin FSC-2006-1] January 19, 2006 18:00 GMT Number Q-103 ______________________________________________________________________________ PROBLEM: A security vulnerability was discovered in the way F-Secure Anti-Virus products for Microsoft Windows and Linux handle ZIP and RAR-archive files. PLATFORM: F-Secure Anti-Virus for Workstation version 5.44 and earlier F-Secure Anti-Virus for Windows Servers version 5.52 and earlier F-Secure Anti-Virus for Citrix Servers version 5.52 F-Secure Anti-Virus for MIMEsweeper version 5.61 and earlier F-Secure Anti-Virus Client Security version 6.01 and earlier F-Secure Anti-Virus for MS Exchange version 6.40 and earlier F-Secure Internet Gatekeeper version 6.42 and earlier F-Secure Anti-Virus for Firewalls version 6.20 and earlier F-Secure Internet Security 2004, 2005 and 2006 F-Secure Anti-Virus 2004, 2005 and 2006 Solutions based on F-Secure Personal Express version 6.20 and earlier F-Secure Anti-Virus for Linux Workstations version 4.52 and earlier F-Secure Anti-Virus for Linux Servers version 4.64 and earlier F-Secure Anti-Virus for Linux Gateways version 4.64 and earlier F-Secure Anti-Virus for Samba Servers version 4.62 F-Secure Anti-Virus Linux Client Security 5.11 and earlier F-Secure Anti-Virus Linux Server Security 5.11 and earlier F-Secure Internet Gatekeeper for Linux 2.14 and earlier DAMAGE: Specially crafted ZIP archives may be used to execute code on affected systems. Both RAR- and ZIP-archives can in addition be crafted to avoid successful scanning and obfuscate malicious code in the archive. SOLUTION: See F-Secure's bulletin for a listing of products that are not automatically updated. Apply available security updates. ______________________________________________________________________________ VULNERABILITY The risk is HIGH for gateway installations that scan web (HTTP ASSESSMENT: FTP) and mail (SMTP, POP) traffic. The on-access scanners of some products are not vulnerable in their default configurations. Standard operating procedures protect or reduce the vulnerability of some products. Automated patching protects some products. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/q-103.shtml ORIGINAL BULLETIN: http://www.f-secure.com/security/fsc-2006-1.shtml ______________________________________________________________________________ [***** Start F-Secure Security Bulletin FSC-2006-1 *****] F-Secure Security Bulletin FSC-2006-1 Code execution vulnerability in ZIP and RAR-archive handling Date issued 2006-01-19 Last updated 2006-01-19 Risk factor Critical (Low/Medium/High/Critical) Brief description Specially crafted ZIP archives may be used to execute code on affected systems. Both RAR- and ZIP-archives can in addition be crafted to avoid successful scanning and obfuscate malicious code in the archive. Software F-Secure's Anti-Virus products for Microsoft Windows and Linux Affected versions F-Secure Anti-Virus for Workstation version 5.44 and earlier F-Secure Anti-Virus for Windows Servers version 5.52 and earlier F-Secure Anti-Virus for Citrix Servers version 5.52 F-Secure Anti-Virus for MIMEsweeper version 5.61 and earlier F-Secure Anti-Virus Client Security version 6.01 and earlier F-Secure Anti-Virus for MS Exchange version 6.40 and earlier F-Secure Internet Gatekeeper version 6.42 and earlier F-Secure Anti-Virus for Firewalls version 6.20 and earlier F-Secure Internet Security 2004, 2005 and 2006 F-Secure Anti-Virus 2004, 2005 and 2006 Solutions based on F-Secure Personal Express version 6.20 and earlier F-Secure Anti-Virus for Linux Workstations version 4.52 and earlier F-Secure Anti-Virus for Linux Servers version 4.64 and earlier F-Secure Anti-Virus for Linux Gateways version 4.64 and earlier F-Secure Anti-Virus for Samba Servers version 4.62 F-Secure Anti-Virus Linux Client Security 5.11 and earlier F-Secure Anti-Virus Linux Server Security 5.11 and earlier F-Secure Internet Gatekeeper for Linux 2.14 and earlier Affected platforms All platforms supported by the affected products Bulletin location http://www.f-secure.com/security/fsc-2006-1.shtml Issue: It is possible to create specially crafted ZIP archives that cause a buffer overflow. This allows an attacker to execute code of his choice on affected systems. It is in addition possible to create malformed RAR- and ZIP- archives that cannot be scanned properly. This can lead to a false negative scan result. ------ Products: F-Secure Internet Security 2004, 2005 and 2006 F-Secure Anti-Virus 2004, 2005 and 2006 Solutions based on F-Secure Personal Express version 6.20 and earlier Risk Factor: Critical These products contain the vulnerability but hotfixes are distributed automatically by the delivery system. Users of these products do not need to take any action. This means that virtually all affected systems in this category will be patched automatically shortly after publication of this advisory. ------ Products: F-Secure Anti-Virus for Workstations 5.44 and earlier F-Secure Anti-Virus for Linux Workstations version 4.52 and earlier F-Secure Anti-Virus Linux Client Security 5.11 and earlier Risk Factor: Critical These products contain the vulnerability but successful exploration requires the user to scan the exploit with archive scanning enabled. This can happen for example during on-demand scanning or if the on-access scanner's settings have been changed. The on-access scanner is not vulnerable in its default configuration. F-Secure recommends all users of these products to install the hotfix or upgrade to a version that is not affected (if available). ------ Products: F-Secure Anti-Virus Client Security version 6.01 and earlier Risk Factor: Critical This product contains e-mail scanning functionality. This module is vulnerable in its default configuration. This fact makes it more likely that an attack against this product will succeed compared to other affected client products. The on-access scanner in this product is not vulnerable in its default configuration. F-Secure recommends all users of these products to install the hotfix or upgrade to a version that is not affected (if available). ------ Products: Server and gateway products: F-Secure Anti-Virus for Windows Servers 5.52 and earlier F-Secure Internet Gatekeeper 6.42 and earlier F-Secure Anti-Virus for Firewalls 6.20 and earlier F-Secure Anti-Virus for MS Exchange version 6.40 and earlier F-Secure Anti-Virus Linux Server Security 5.11 and earlier F-Secure Anti-Virus for Linux Servers version 4.64 and earlier F-Secure Anti-Virus for Linux Gateways version 4.64 and earlier F-Secure Anti-Virus for Samba Servers 4.62 F-Secure Internet Gatekeeper for Linux 2.14 Risk Factor: Critical Gateway installations that scan web (HTTP, FTP) and mail (SMTP, POP) traffic are vulnerable. These machines are typically scanning a large number of archive files with the scan inside archives setting enabled. Server products that are configured to use scheduled on-demand scans are also likely to be vulnerable. This makes products in this category the most likely target for attacks. F-Secure recommends all users of the mentioned gateway and server products to install the hotfix or upgrade to a version that is not affected (if available). ------ Products: F-Secure Anti-Virus for MIMEsweeper 5.61 and earlier Risk Factor: Critical This product is vulnerable but the Clearswift MIMEsweeper product performs the archive handling under normal circumstances. The vulnerability can however be exploited if the product is used to scan the local system or if MIMEsweeper fails to recognize an archive correctly and passes it on to the F-Secure scanner. F-Secure recommends users to apply the hotfix or upgrade to a later version (if available). Mitigating Factors: * The vulnerability requires that the exploit is scanned with archive scanning enabled. This is typically the case in gateway environments and scheduled scans on servers. On-access scanning does not scan inside archives in a typical configuration. This makes successful exploration of the vulnerability less likely in client environments. * Clearswift MIMEsweeper handles archive extraction and this reduces the risk in environments that use F-Secure Anti-Virus for MIMEsweeper. Patch and upgrade availability: Product Versions Hotfix ID Download F-Secure Internet Security 2004 - 2006 - Hotfix distributed automatically F-Secure Anti-Virus 2004 - 2006 - F-Secure Personal Express 6.20 and earlier F-Secure Anti-Virus for Workstations 5.42- 5.44 fsavwk617-02 ftp://ftp.f- secure.com/support/hotfix/fsavcs/fsavwk617-02-signed.fsfix F-Secure Anti-Virus Client Security 6.00-6.01 fsavwk617-02 ftp://ftp.f- secure.com/support/hotfix/fsavcs/fsavwk617-02-signed.fsfix F-Secure Anti-Virus for Windows Servers 5.42- 5.52 fsavsr552-02 ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsavsr552-02- signed.fsfix F-Secure Anti-Virus for Citrix Servers 5.50-5.52 fsavsr552-02 ftp://ftp.f- secure.com/support/hotfix/fsav-server/fsavsr552-02-signed.fsfix F-Secure Anti-Virus for MIMEsweeper 5.42-5.61 fsavsr552-02 ftp://ftp.f- secure.com/support/hotfix/fsav-server/fsavsr552-02-signed.fsfix F-Secure Anti-Virus for MS Exchange 6.01 fscss631-07 ftp://ftp.f- secure.com/support/hotfix/fsav-mse/fscss631-07.zip F-Secure Anti-Virus for MS Exchange 6.40 fsavmse640-03 ftp://ftp.f- secure.com/support/hotfix/fsav-mse/fsavmse640-03.zip F-Secure Internet Gatekeeper 6.42 Version upgrade to 6.50 or fsigk642-02 http://www.f-secure.com/anti-virus/webclub/fsigk.shtml OR ftp://ftp.f-secure.com/support/hotfix/fsig/fsigk642-02.zip F-Secure Anti-Virus for Linux Servers 4.63-4.64 Updated binary ftp://ftp.f-secure.com/support/hotfix/fsav-linux/fsav-fsigk-linux-FSC- 2006-1-hotfix.tgz F-Secure Anti-Virus for Linux Gateways 4.63-4.64 Updated binary ftp://ftp.f-secure.com/support/hotfix/fsav-linux/fsav-fsigk-linux-FSC- 2006-1-hotfix.tgz F-Secure Anti-Virus for Samba Servers 4.62 Updated binary ftp://ftp.f- secure.com/support/hotfix/fsav-linux/fsav-fsigk-linux-FSC-2006-1-hotfix.tgz F-Secure Anti-Virus Linux Client Security 5.00-5.04 Updated binary ftp://ftp.f-secure.com/support/hotfix/fsav-linux/fsav-fsigk-linux-FSC- 2006-1-hotfix.tgz F-Secure Anti-Virus Linux Client Security 5.10-5.11 Version upgrade to 5.20 or updated binary http://www.f-secure.com/anti- virus/webclub/corporate/fsavlcs.shtml OR ftp://ftp.f-secure.com/support/hotfix/fsav-linux/fsav-fsigk-linux-FSC-2006-1- hotfix.tgz F-Secure Anti-Virus Linux Server Security 5.00-5.04 Updated binary ftp://ftp.f-secure.com/support/hotfix/fsav-linux/fsav-fsigk-linux-FSC- 2006-1-hotfix.tgz F-Secure Anti-Virus Linux Server Security 5.10-5.11 Version upgrade to 5.20 or updated binary http://www.f-secure.com/anti- virus/webclub/corporate/fsavlss.shtml OR ftp://ftp.f-secure.com/support/hotfix/fsav-linux/fsav-fsigk-linux-FSC-2006-1- hotfix.tgz F-Secure Internet Gatekeeper for Linux 2.10-2.14 Version upgrade to 2.16 or updated binary http://www.f-secure.com/anti-virus/webclub/fsigkl.shtml OR ftp://ftp.f-secure.com/support/hotfix/fsav-linux/fsav-fsigk-linux-FSC-2006-1- hotfix.tgz Credits: F-Secure Corporation thanks Thierry Zoller (http://www.zoller.lu) for bringing this issue to our attention. Revision History: FSC-2006-1 - 2006-01-19 Contact Information: Support: http://support.f- secure.com/enu/home/contactus/ Security: http://www.f-secure.com/security/ URL: http://www.f-secure.com/ [***** End F-Secure Security Bulletin FSC-2006-1 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of F-Secure for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) Q-093: libapache2-mod-auth-pgsql Q-094: auth_ldap Security Update Q-095: Vulnerability in Embedded Web Fonts Could Allow Remote Code Execution Q-096: Vulnerability in TNEF Decoding in Microsoft Outlook and Microsoft Exchange Could Allow Remote Code Execution Q-097: Default Administrative Password in Cisco Security Monitoring, Analysis and Response System (CS-MARS) Q-098: Ethereal Security Update Q-099: Red Hat 4 Kernel Update Q-100: Oracle Critical Patch Update Q-101: Cisco Call Manager Privilege Escalation Q-102: Red Hat 3 Kernel Update