Error in F-Secure Products Permitted Code Execution via Harmful Archives

A harmful flaw distressing different consumer and business products from F-Secure could have been oppressed for distant code implementation practicing particularly shaped archive files. A researcher who practices the online moniker “landave” has recognized numerous flaws associated to 7-Zip, an open source file archiver employed by different commercial products. Certain security flaws influence 7-Zip and products employing it, while others are precise to the third-party operations of 7-Zip.

Some of the flaws, revealed in 2017, influence Bitdefender products. On Tuesday, landave issued a blog post relating how one of the 7-Zip flaws were recognized previous year, specifically CVE-2018-10115, can be consumption to accomplish distant code execution on most F-Secure endpoint defensive products for Windows. The particulars of the flaw have been revealed after F-Secure moved out a fix through its automatic update devices on May 22. Operators don’t require to take any deed, except they openly restricted automatic updates.

The list of influenced products contains F-Secure SAFE for Windows, Client Security, Client Security Premium, Server Security, Server Security Premium, PSB Server Security, Email and Server Security, Email and Server Security Premium, PSB Email and Server Security, PSB Workstation Security, Computer Protection, and Computer Protection Premium.

Developing the flaw in contrast to 7-Zip straight was comparatively relaxed and it merely essential for the targeted user to excerpt a particularly created RAR file. But, in such situation F-Secure products, misuse is more problematic because of the habit of the Address Space Layout Randomisation memory defense system.

But, landave has originated a method to avoid the defense and attain code execution via harmful RAR files. The hacker could have sent the harmful file to the prey devoted to an email, however this threat setup is compulsory as the receiver physically activate a scan of the file. A more effective technique contained getting the object to visit a harmful website page set up to automatically download the achieve file.

“It turns out that F-Secure’s products intercept HTTP traffic and automatically scan files with up to 5MB in size. This automatic scan includes (by default) the extraction of compressed files. Hence, we can deliver our victim a web page that automatically downloads the exploit file. To do this silently (preventing the user even from noticing that a download is triggered), we can issue an asynchronous HTTP request,” the researcher explained.

F-Secure stated the vulnerability could have been oppressed to take whole control of a system, however there was no indication of misuse before the announcement of the fix. The security company also figured out that certain user interaction was compulsory for the activity to work and distinguished that collection scanning is simply activated if the “Scan inside compressed files” choice is allowed.

F-Secure has remunerated out a flaw bounty, however the amount has not been revealed. According to its Vulnerability Rewards Program page, the firm proposes up to for flaws that permit distant code implementation on the client software.

Leave a Reply

Your email address will not be published. Required fields are marked *