Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.4271 AV Engine evasion via malformed RAR file 2 December 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: FortiClient FortiOS AV Publisher: Fortiguard Operating System: Network Appliance Impact/Access: Reduced Security -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2020-9295 Original Bulletin: https://fortiguard.com/psirt/FG-IR-20-037 - --------------------------BEGIN INCLUDED TEXT-------------------- AV Engine evasion via malformed RAR file IR Number : FG-IR-20-037 Date : Dec 01, 2020 Risk : 3/5 CVSSv3 Score: 4.7 Impact : Bypass Protection Mechanism CVE ID : CVE-2020-9295 Summary FortiClient and FortiOS AV engines may not immediately detect certain types of malformed or non-standard RAR archives, potentially containing malicious files. Based on the samples provided, FortiClient will detect the malicious files upon trying extraction by real-time scanning and FortiGate will detect the malicious archive if Virus Outbreak Prevention is enabled. Impact Bypass Protection Mechanism Affected Products FortiOS 6.2 running AV engine version 6.00142 and below. FortiOS 6.4 running AV engine version 6.00144 and below. FortiClient 6.2 running AV engine version 6.00137 and below. Solutions FortiOS 6.2 running AV engine version 6.00145 or later. FortiOS 6.4 running AV engine version 6.00145 or later. FortiClient 6.2 running AV engine version 6.00145 or later. FortiClient 6.4 running AV engine version 6.00243 or later. Workaround for FortiGate: Enable Virus Outbreak Prevention feature. Acknowledgement Fortinet is pleased to thank Thierry Zoller for reporting this vulnerability under responsible disclosure. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX8czQeNLKJtyKPYoAQgU0A/+OTqKwr884YBWyPalyub7LduqV2ug1YBt Ejf2uuYaClvXkWjj3i3mPOUC7c8tx4Ycf/zPtgLJItwvPj4lxFJ14WnHtUFpU16I LPrw/iJIWkf4AitcX0DBo/AQ/iLS3z+PcMK8Y7x5DIyJy+6R3gLHI28Rxai5D4hn SXCNcLL9Imvi2oUqSUPIjwPp2K5TtoQhoomx5Ad2z+Q3J4SlfuqzkfXU4jv2ltn+ vPqZMOL59bY9MqV16O0GNKnksH/GfYQ+y9Kl5NN3lBWklXrG7Ny3sQxLqcPCEoHu rq+Xf/eTC7dBq8na/HhchXXKlkNbpIRtbbaPw0It44jglpq9S29ouxZoCZO5iJmZ BarvjtmDfM6BNaPzKTOQqtgdwa1VTQ9o9OZqiFNbohOkmgt0GFBEzQtxfblrvHqx hBJdq7cI1Oj8EYFafghlVxS3jFELsjPZQBC8z/bIuxLypm03/kJgIo/7reIUjtwm h1t977Ht6PR0EfNcict6hVPLrphsJQ9Az7QeDCM6rY7ez1RzB7e6/WHE4OVn/OvB dI00v4yiyKFscg+uhqA1f6gBVtzRwRW80GTzMLikDrruv7tJeNpfZPR0nfjj8TAW pKvg0xhcNs81aRU2G8BJIm3CVBNT3u8rhOYIO7Kj5pEXgcmDCrjYkzmmWkuLIiNH KImL2qqpA2Y= =iBZB -----END PGP SIGNATURE-----