1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Home
  2. Support
  3. Security Advisory
  4. Security Advisory FSC-2007-5

Security Advisory FSC-2007-5

Scan bypass vulnerabilities in handling of specially crafted LHA and RAR archives

Date issued 2007-06-19
Last updated 2007-06-18
Risk factor Medium (Low/Medium/High/Critical)
Brief description Several F-Secure products are affected by archive file scan bypass vulnerabilities:
  • user decompressable, crafted RAR archives cannot be parsed (opened) by Anti-Virus
  • user decompressable, crafted LHA archives cannot be parsed (opened) by Anti-Virus
Software F-Secure's Anti-Virus products for Microsoft Windows and Linux
Affected versions F-Secure Anti-Virus for Workstations version 7.00 and earlier
F-Secure Anti-Virus for Windows Servers version 7.00 and earlier
F-Secure Anti-Virus for Citrix Servers version 5.52
F-Secure Anti-Virus for MIMEsweeper version 5.61 and earlier
F-Secure Client Security version 7.00 and earlier
F-Secure Anti-Virus for MS Exchange version 7.00 and earlier
F-Secure Internet Gatekeeper version 6.61 and earlier
F-Secure Internet Security 2005, 2006 and 2007
F-Secure Anti-Virus 2005, 2006 and 2007
Solutions based on F-Secure Protection Service for Consumers version 7.00 and earlier
F-Secure Anti-Virus for Linux Servers version 4.65 and earlier
F-Secure Anti-Virus for Linux Gateways version 4.65 and earlier
F-Secure Linux Client Security 5.52 and earlier
F-Secure Linux Server Security 5.52 and earlier
F-Secure Internet Gatekeeper for Linux 2.16 and earlier
Affected platforms All platforms supported by the affected products
Advisory location http://www.f-secure.com/security/fsc-2007-5.shtml
Issue An attacker may create a specially crafted LHA or RAR archive file with manipulated archive file header fields and malicious contents, which then goes through Anti-Virus scanning without interception.

The manipulated file header fields basically break the archive file from Anti-Virus point of view, but certain decompression programs are still capable of opening archive for the user, in some cases with errors displayed.
Workstation products F-Secure Internet Security 2005, 2006 and 2007
F-Secure Anti-Virus 2005, 2006 and 2007
Solutions based on F-Secure Protection Service for Consumers version 7.00 and earlier
F-Secure Client Security version 7.00 and earlier
F-Secure Anti-Virus for Workstations 7.00 and earlier
F-Secure Linux Client Security 5.52 and earlier
Risk factor Low
  These products contain the described vulnerabilities, but do not scan inside archives by default, except by their possible e-mail scanning component. Archive contents that evade the detection in initial scanning, will be intercepted at the time of decompression.

Recent antivirus database updates have automatically fixed both of the mentioned issues, without any intervention needed by the user/administrator.
Server products F-Secure Anti-Virus for Windows Servers 7.00 and earlier
F-Secure Anti-Virus for Citrix Servers version 5.52 and earlier
F-Secure Linux Server Security 5.52 and earlier
F-Secure Anti-Virus for Linux Servers version 4.65 and earlier
Risk factor Low
  These products contain the described vulnerabilities, but do not scan inside archives by default.

Recent antivirus database updates have automatically fixed both of the mentioned issues, without any intervention needed by the user/administrator.
Gateway products F-Secure Internet Gatekeeper 6.61 and earlier
F-Secure Anti-Virus for MS Exchange version 7.00 and earlier
F-Secure Anti-Virus for Linux Gateways version 4.65 and earlier
F-Secure Internet Gatekeeper for Linux 2.16
Risk factor High
  These gateway products typically scan inside archives, thus are affected by the vulnerability. However antivirus software on the receiving clients intercept the malicious contents at the point of archive decompression by the user.

Recent antivirus database updates have automatically fixed both of the mentioned issues, without any intervention needed by the user/administrator.
Gateway products F-Secure Anti-Virus for MIMEsweeper 5.61 and earlier
Risk factor Medium
  F-Secure Anti-Virus for MIMEsweeper does not handle archives. Archives are handled by MIMEsweeper and this vulnerability does not affect the reliability of such systems. The vulnerability does however affect the virus scanner's ability to detect malware that is stored in archives on the disk of the computer that runs MIMEsweeper. The impact of this is however minimal in the default configuration.

Recent antivirus database updates have automatically fixed both of the mentioned issues, without any intervention needed by the user/administrator.
Mitigating factors
  • Exploitation of the vulnerabilities requires specially crafted archives.
  • Vulnerability in archive scanning concerns only those products that scan inside archives by default (gateway solutions).
  • These issues have been fixed automatically in F-Secure database updates. This applies all the affected product versions with the exception of deployments not using automatic or automated scripts for the updates.

Available patches:

Product Versions Hotfix ID Download
F-Secure Internet Security 2005 - 2007 2005 - 2007 - Fixed automatically in database updates.
F-Secure Anti-Virus 2005 - 2007 2005 - 2007 - Fixed automatically in database updates.
F-Secure Protection Service for Consumers 5.00 - 7.00 - Fixed automatically in database updates.
F-Secure Anti-Virus for Workstations 5.44 - 7.00 - Fixed automatically in database updates.
F-Secure Client Security 6.00 - 7.00 - Fixed automatically in database updates.
F-Secure Anti-Virus for Windows Servers 5.50 - 7.00 - Fixed automatically in database updates.
F-Secure Anti-Virus for Citrix Servers 5.50 - 5.52 - Fixed automatically in database updates.
F-Secure Anti-Virus for MIMEsweeper 5.61 - Fixed automatically in database updates.
F-Secure Anti-Virus for MS Exchange 6.01 - Fixed automatically in database updates.
F-Secure Anti-Virus for MS Exchange 6.61 - 7.00 - Fixed automatically in database updates.
F-Secure Internet Gatekeeper 6.60 - 6.61 - Fixed automatically in database updates.
F-Secure Anti-Virus for Linux Servers 4.64 - 4.65 - Fixed automatically in database updates.
F-Secure Anti-Virus for Linux Gateways 4.64 - 4.65 - Fixed automatically in database updates.
F-Secure Linux Client Security 5.30 - 5.52 - Fixed automatically in database updates.
F-Secure Linux Server Security 5.30 - 5.52 - Fixed automatically in database updates.
F-Secure Internet Gatekeeper for Linux 2.16 - Fixed automatically in database updates.
Credits F-Secure wants to thank Thierry Zoller in n.runs AG (http://www.nruns.com/) for reporting these issues.
Revision history FSC-2007-5 / 2007-06-15

Contact information:
Support: http://www.f-secure.com/en_EMEA/support/


BE SURE