F-Secure Security Bulletin FSC-2004-1 - Certain malformed LHA archives cause a buffer overflow when scanning them for viruses. The error typically causes a restart of one of the modules in the product. This leads to performance degradation and makes denial of service attacks possible. Product lines affected: F-Secure Internet Security 2004, F-Secure Anti-Virus 2004, Solutions based on F-Secure Personal Express 4.6x and 4.7x.
8f08c9186c7fae40800fd260c2cd4a2448c15fac280f4b24f294d90a8c5af12f<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>F-Secure Security Bulletin FSC-2004-1</title>
<body>
<script language="JavaScript" src="/navigation/js/main_menu.js"></script>
<link href="/navigation/css/fsecure.css" rel="styleSheet" type="text/css">
</head>
<body bgcolor="#FFFFFF" link="#0033CC" marginheight="4" topmargin="4">
<center>
<HTML>
<HEAD>
<meta http-equiv="content-type" content="text/html;charset=iso-8859-1">
<LINK REL="SHORTCUT ICON" HREF="/images/f-secure.ico">
<title>F-Secure: Be Sure</title>
<script language="JavaScript" src="/navigation/js/main_menu_new.js"></script>
<link href="/navigation/css/fsecure.css" rel="styleSheet" type="text/css">
</HEAD>
<body bgcolor="white" link="#0033cc" marginheight="4" topmargin="4">
<MAP NAME="main-navigation">
<AREA SHAPE=RECT COORDS="2,1,81,19" HREF="/solutions/">
<AREA SHAPE=RECT COORDS="89,1,168,19" HREF="/vir-info/">
<AREA SHAPE=RECT COORDS="177,0,248,19" HREF="/purchase/">
<AREA SHAPE=RECT COORDS="256,0,342,19" HREF="/download-purchase/">
<AREA SHAPE=RECT COORDS="350,0,423,19" HREF="/support/">
<AREA SHAPE=RECT COORDS="433,1,505,19" HREF="/news/">
<AREA SHAPE=RECT COORDS="515,2,589,19" HREF="/corporate/">
<AREA SHAPE=RECT COORDS="602,0,676,19" HREF="/partners/">
<AREA SHAPE=default HREF="#">
</MAP>
<table border="0" cellpadding="0" cellspacing="0" width="725">
<tr valign="top">
<td colspan="2">
<table border="0" cellpadding="2" cellspacing="0" width="725"><tr><td width="500">
<A HREF="/"><img src="/images/fsc_logo.jpg" alt="F-Secure Logo - Be Sure" border="0"></A>
<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"
codebase="http://active.macromedia.com/flash4/cabs/swflash.cab#version=4,0,0,0"
id="westop" width="250" height="81">
<param name="movie" value="/images/westop.swf">
<param name="quality" value="high">
<param name="bgcolor" value="#FFFFFF">
<embed name="westop" src="/images/westop.swf" quality="high" bgcolor="#FFFFFF"
width="250" height="81"
type="application/x-shockwave-flash"
pluginspage="http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash">
</embed>
</object>
</td><td align=right valign="bottom">
<form ACTION="http://www.Europe.F-Secure.com/cgi-bin/jumper/mainjumper.cgi" ENCTYPE=x-www-form-encoded METHOD=POST>
<select NAME="toselect" style="font-family: Arial,Verdana,Geneva; font-size: 8pt;" OnChange="top.location.href=this.options[this.selectedIndex].value">
<option SELECTED>Global Sites
<option VALUE="http://www.f-secure.com/">Global
<option VALUE="http://www.f-secure.fi/">Finland
<option VALUE="http://www.f-secure.se/">Sweden
<option VALUE="http://www.f-secure.de/">Germany
<option VALUE="http://www.f-secure.fr/france/">France
<option VALUE="http://www.f-secure.co.jp/">Japan
</select><noscript><input TYPE="submit" VALUE="Go"></form>
</noscript><BR><A HREF="http://www.f-secure.co.jp/"><img src="/images/japanese.gif" alt="Japanese" align="right" border="0"></A></form></td>
<td align="right" valign="bottom">
<form action="http://cgi.f-secure.com/cgi-bin/search.cgi" method="get" id="form1" name="form1">
<input type="text" name="q" size="8"
style="font-family: Arial,Verdana,Geneva; font-size: 8pt; width: 82px">
<BR><input type= "image" src="/images/search-go.gif" alt="search" align="right" border="0" value="submit">
</form>
</td></tr></table>
<table border="0" cellpadding="0" cellspacing="0" width="725"><tr><td><a href="/"><img src="/images/navbar-new.gif" name="anchor" border=0 WIDTH=725 HEIGHT=19 usemap="#main-navigation"></a></td></tr></table>
</td></tr></table>
<script type="text/javascript" language="javascript1.2" src="/resources/menu.js"></script>
<table border="0" cellpadding="0" cellspacing="0" width="725"></center>
<center><table BORDER=0 CELLSPACING=0 CELLPADDING=0 WIDTH="725" >
<tr>
<td valign="top" NOWRAP WIDTH="586">
<p> <P>
<h1><font size="+1" color="#000040" face="Arial, sans-serif">
F-Secure Security Bulletin FSC-2004-1<br>Buffer overflow caused by malformed LHA archive</font><br>
<img SRC="/images/left_subbuttonbg.gif" ALT="" height=2 width=550></h1>
<font size="2" face="Arial">
<p>
<table width="550">
<tr>
<td valign="top" bgcolor="#D7EBFF" width="110">Date issued</td>
<td valign="top" width="435">2004-05-26</td>
</tr>
<tr>
<td valign="top" bgcolor="#D7EBFF" width="110">Revision history</td>
<td valign="top" width="435">FSC-2004-1.1 - 2004-05-26</td>
</tr>
<tr>
<td valign="top" bgcolor="#D7EBFF" width="110">Risk factor</td>
<td valign="top" width="435">High (Low/Medium/High/Critical)</td>
</tr>
<tr>
<td valign="top" bgcolor="#D7EBFF" width="110" valign=top>Brief description</td>
<td valign="top" width="435">Certain malformed LHA archives cause a buffer overflow when scanning them for viruses. The error typically causes restart of one of the modules in the product. This leads to performance degradation and makes denial of service attacks possible. Installing a hotfix solves the problem.</td>
</tr>
<tr>
<td valign="top" bgcolor="#D7EBFF" width="110">Affected software</td>
<td valign="top" valign="top" width="435">F-Secure's antivirus products</td>
</tr>
<tr>
<td valign="top" bgcolor="#D7EBFF" width="110">Affected versions</td>
<td valign="top" width="435">F-Secure Anti-Virus for Workstation 5.42 and earlier<br>
F-Secure Anti-Virus for Windows Servers 5.42 and earlier<br>
F-Secure Anti-Virus for MIMEsweeper 5.42 and earlier<br>
F-Secure Anti-Virus Client Security 5.52 and earlier<br>
F-Secure Anti-Virus for MS Exchange 6.21 and earlier<br>
F-Secure Internet Gatekeeper 6.32 and earlier<br>
F-Secure for Firewalls 6.20 and earlier<br>
F-Secure Internet Security 2004 and earlier<br>
F-Secure Anti-Virus 2004 and earlier<br>
Solutions based on F-Secure Personal Express 4.5x, 4.6x and 4.7x<br>
F-Secure Anti-Virus for Linux Workstations 4.52 and earlier<br>
F-Secure Anti-Virus for Linux Servers 4.52 and earlier<br>
F-Secure Anti-Virus for Linux Gateways 4.52 and earlier<br>
F-Secure Anti-Virus for Samba Servers 4.60
</td>
</tr>
<tr>
<td valign="top" bgcolor="#D7EBFF" width="110">Affected platforms</td>
<td valign="top" width="435">All platforms supported by the affected products</td>
</tr>
<tr>
<td valign="top" bgcolor="#D7EBFF" width="110">Bulletin location</td>
<td valign="top" width="435">http://www.F-Secure.com/security/fsc-2004-1.shtml</td>
</tr>
<tr>
<td valign="top" bgcolor="#D7EBFF" width="110" colspan="2"><img SRC="/images/left_subbuttonbg.gif" ALT="" height=2 width=550></td>
</tr>
<tr>
<td valign="top" width="110">Issue:</td>
<td valign="top" width="435">Certain types of malformed LHA archives cause a buffer overflow in the module that accesses the contents of archive files. This error leads to an automatic shutdown and restart of that particular module. The computer does not restart or crash in this situation. The typical impact of this is a temporary performance degradation that may be used as a denial of service attack under some circumstances. The practical impact is different for different product groups.<br><hr> </td>
</tr>
<tr>
<td valign="top" width="110">Products:</td>
<td valign="top" width="435">F-Secure Internet Security 2004<br>
F-Secure Anti-Virus 2004<br>
Solutions based on F-Secure Personal Express 4.6x and 4.7x
</td>
</tr>
<tr>
<td valign="top" width="110">Risk Factor:</td>
<td valign="top" width="435">Low<p>These products contain the vulnerability but hotfixes are distributed automatically by the delivery system. Users of these products do not need to take any actions.<br><hr>
</td>
</tr>
<tr>
<td valign="top" width="110">Products:</td>
<td valign="top" width="435">F-Secure Anti-Virus for Workstations 5.42 and earlier<br>
F-Secure Anti-Virus for Windows Servers 5.42 and earlier<br>
F-Secure Anti-Virus Client Security 5.52 and earlier
</td>
</tr>
<tr>
<td valign="top" width="110">Risk Factor:</td>
<td valign="top" width="435">Medium<p>The on-access scanning feature of these products is not vulnerable in its default configuration. Scanning malformed archives of this type causes a module shutdown and restart if the scan inside archives setting is enabled. This has a temporary impact on the system performance. On-demand scans will terminate when the malformed file is encountered. This may prevent viruses in other files from being detected. Malformed archives in e-mails scanned by F-Secure Anti-virus Client security will cause a module shutdown and restart in a way that is similar to the on-access scanner. The mail message containing the malformed archive will be handled according to the product settings for malformed messages.<p>F-Secure recommends users of these products to apply the hotfix.<br><hr>
</td>
</tr>
<tr>
<td valign="top" width="110">Products:</td>
<td valign="top" width="435">F-Secure Anti-Virus for MIMEsweeper 5.42 and earlier<br>
F-Secure Internet Gatekeeper 6.32 and earlier<br>
F-Secure for Firewalls 6.20 and earlier
</td>
</tr>
<tr>
<td valign="top" width="110">Risk Factor:</td>
<td valign="top" width="435">Medium<p>Gateway products that encounter a malformed archive of this kind will shut down and restart the offending module automatically. The performance degradation caused by this may be used as a denial of service attack. Mail containing this kind of malformed archives will be handled according to the product settings for malformed messages.<p>F-Secure recommends users of these gateway products to apply the hotfix as soon as possible.<br><hr>
</td>
</tr>
<tr>
<td valign="top" width="110">Products:</td>
<td valign="top" width="435">F-Secure Anti-Virus for MS Exchange 6.21 and earlier
</td>
</tr>
<tr>
<td valign="top" width="110">Risk Factor:</td>
<td valign="top" width="435">High<p>A malformed archive of this kind may cause an endless loop and stop the MS Exchange scanner from processing mail messages until the product is restarted.<p>F-Secure recommends users of this gateway product to apply the hotfix as soon as possible.<br><hr>
</td>
</tr>
<tr>
<td valign="top" width="110">Products:</td>
<td valign="top" width="435">F-secure Anti-Virus for Workstations 5.31 and earlier<br>
F-secure Anti-Virus for Windows Servers 5.31 and earlier
</td>
</tr>
<tr>
<td valign="top" width="110">Risk Factor:</td>
<td valign="top" width="435">High<p>These outdated products are not able to handle the buffer overflow and may cause a system crash if malformed archives of this kind are scanned.<p>F-secure recommends users of these outdated versions to upgrade to the latest supported version as soon as possible and apply the required hotfix if needed.
<br><hr>
</td>
</tr>
<tr>
<td valign="top" width="110">Products:</td>
<td valign="top" width="435">F-Secure Anti-Virus for Linux Workstations 4.52 and earlier<br>
F-Secure Anti-Virus for Linux Servers 4.52 and earlier<br>
F-Secure Anti-Virus for Linux Gateways 4.52 and earlier<br>
F-Secure Anti-Virus for Samba Servers 4.60
</td>
</tr>
<tr>
<td valign="top" width="110">Risk Factor:</td>
<td valign="top" width="435">Medium <p>The malformed archive will cause a shutdown and restart of the engine instance that handled it. This leads to a temporary performance degradation. The impact on system throughput should only be significant in heavily loaded mail scanning applications.<p>F-Secure recommends users of these products to apply the hotfix.
<br><hr>
</td>
</tr>
<tr>
<td valign="top" width="110">Mitigating Factors:</td>
<td valign="top" width="435"><ul><li>Mail scanning gateways are at greatest risk as they may encounter a large number of malformed archives of this type. <br>
<li>On-access scanning of client or server computers is not vulnerable unless the scan inside archive feature has been enabled. This feature is not enabled by default.</ul>
</td>
</tr>
<tr>
<td valign="top" width="110" colspan="2">Patch Availability:</td>
</tr>
<tr>
<td valign="top" width="110" colspan="2"><table border="1" width="580"><tr><td valign="top">Product </td><td valign="top">Versions </td><td valign="top">Hotfix ID</td> <td valign="top">Download</td></tr>
<tr><td valign="top">F-Secure Internet Security 2004</td> <td valign="top">-</td> <td valign="top" colspan="2" rowspan="3" align="center">Hotfix distributed automatically</td></tr>
<tr><td valign="top">F-Secure Anti-Virus 2004 </td><td valign="top">- </td></tr>
<tr><td valign="top">F-Secure Personal Express</td> <td valign="top">4.6x, 4.7x</td> </tr>
<tr><td valign="top">F-Secure Anti-Virus for Workstations</td> <td valign="top">5.41, 5.42</td> <td valign="top">fsavwk552-08</td> <td valign="top"><a href="ftp://ftp.f-secure.com/support/hotfix/fsav/fsavwk552-08-signed.fsfix">ftp://ftp.f-secure.com/support/hotfix/fsav/fsavwk552-08-signed.fsfix</a></td></tr>
<tr><td valign="top">F-Secure Anti-Virus Client Security</td> <td valign="top">5.50, 5.52 </td> <td valign="top"> </td><td valign="top"><a href="ftp://ftp.f-secure.com/support/hotfix/fsavcs/fsavwk552-08-signed.fsfix">ftp://ftp.f-secure.com/support/hotfix/fsavcs/fsavwk552-08-signed.fsfix</a></td></tr>
<tr><td valign="top">F-Secure Anti-Virus for MIMEsweeper</td> <td valign="top">5.41, 5.42</td> <td valign="top" rowspan="2">fsavsr541-14</td> <td valign="top"><a href="ftp://ftp.f-secure.com/support/hotfix/fsav-mime/fsavsr541-14-signed.fsfix">ftp://ftp.f-secure.com/support/hotfix/fsav-mime/fsavsr541-14-signed.fsfix</a></td></tr>
<tr><td valign="top">F-Secure Anti-Virus for Windows Servers</td> <td valign="top">5.41, 5.42</td> <td valign="top"><a href="ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsavsr541-14-signed.fsfix">ftp://ftp.f-secure.com/support/hotfix/fsav-server/fsavsr541-14-signed.fsfix</a></td></tr>
<tr><td valign="top">F-Secure Anti-Virus for MS Exchange</td> <td valign="top"> 6.21</td> <td valign="top" rowspan="2">CSS 6.31 HF3</td> <td valign="top"><a href="ftp://ftp.f-secure.com/support/hotfix/fsav-mse/fscss631-03.fsfix">ftp://ftp.f-secure.com/support/hotfix/fsav-mse/fscss631-03.fsfix</a></td></tr>
<tr><td valign="top">F-Secure Internet Gatekeeper</td> <td valign="top">6.32</td> <td valign="top"><a href="ftp://ftp.f-secure.com/support/hotfix/fsig/fscss631-03.fsfix">ftp://ftp.f-secure.com/support/hotfix/fsig/fscss631-03.fsfix</a></td></tr>
<tr><td valign="top">F-Secure for Firewalls</td> <td valign="top">6.20</td> <td valign="top">FSAV4FW 6.20 HF5</td> <td valign="top"><a href="ftp://ftp.f-secure.com/support/hotfix/fsav-fw/fsavfw620-05.fsfix">ftp://ftp.f-secure.com/support/hotfix/fsav-fw/fsavfw620-05.fsfix</a></td></tr>
<tr><td valign="top">F-Secure Anti-Virus for Linux Workstations</td> <td valign="top">4.52</td> <td valign="top" rowspan="3">Hotfix 4</td> <td valign="top"><a href="ftp://ftp.f-secure.com/support/hotfix/fsav-linux/fsav-4.52-hotfix4.tgz">ftp://ftp.f-secure.com/support/hotfix/fsav-linux/fsav-4.52-hotfix4.tgz</a></td></tr>
<tr><td valign="top">F-Secure Anti-Virus for Linux Servers</td> <td valign="top">4.52 </td> <td valign="top"><a href="ftp://ftp.f-secure.com/support/hotfix/fsav-linux/fsav-4.52-hotfix4.tgz">ftp://ftp.f-secure.com/support/hotfix/fsav-linux/fsav-4.52-hotfix4.tgz</a></td></tr>
<tr><td valign="top">F-Secure Anti-Virus for Linux Gateways</td> <td valign="top">4.52</td> <td valign="top"><a href="ftp://ftp.f-secure.com/support/hotfix/fsav-linux/fsav-4.52-hotfix4.tgz">ftp://ftp.f-secure.com/support/hotfix/fsav-linux/fsav-4.52-hotfix4.tgz</a></td></tr>
<tr><td valign="top">F-Secure Anti-virus for Samba Servers</td> <td valign="top">4.60</td> <td valign="top">Hotfix 1</td> <td valign="top"><a href="ftp://ftp.f-secure.com/support/hotfix/fsav-samba/fsav-4.60-hotfix1.tgz">ftp://ftp.f-secure.com/support/hotfix/fsav-samba/fsav-4.60-hotfix1.tgz</a></td></tr></table>
</td>
</tr>
<tr><td valign="top">Contact Information:</td><td valign="top">Support: <a href="http://support.f-secure.com">http://support.f-secure.com</a><br>
Security email: <a href="mailto:security@F-Secure.com">security@F-Secure.com</a>
</td></tr>
</table>
</td>
</tr>
</table>
</center>
</body>
</html>
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed