Australia's Leading Computer Emergency Response Team

ESB-2013.0588 - [Win] F-Secure Products: Execute arbitrary code/commands - Remote with user interaction
Date: 29 April 2013
Original URL: http://www.auscert.org.au/render.html?cid=1980&it=17438

Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.0588
     FSC-2013-1: Remote code execution vulnerability in DLL component
                               29 April 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           F-Secure Anti-Virus for Microsoft Exchange Server 9.00 - 9.10
                   F-Secure Anti-Virus for Windows Servers 9.00
                   F-Secure Anti-Virus for Citrix Servers 9.00
                   F-Secure Email and Server Security 9.20
                   F-Secure Server Security 9.20
                   Solutions based on F-Secure Protection Service for Business Email and Server Security 9.20
                   Solutions based on F-Secure Protection Service for Business Server Security 9.20
Publisher:         F-Secure
Operating System:  Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:        Patch/Upgrade

Original Bulletin: 
   http://www.f-secure.com/en/web/labs_global/fsc-2013-1

- --------------------------BEGIN INCLUDED TEXT--------------------

FSC-2013-1: Remote code execution vulnerability in DLL component
 
Brief Description

A vulnerability in a legacy DLL component related to ActiveX control, in 
certain F-Secure’s server products, allows arbitrary connections to be made 
to the ODBC drivers when using the Internet Explorer (IE) web browser. If the 
local server is running using local authentication, an attacker may be able to 
execute arbitrary SQL statements.

Affected Platforms

• All supported platforms

Products

Risk Level: HIGH (Low/Medium/High/Critical)
• F-Secure Anti-Virus for Microsoft Exchange Server 9.00 - 9.10
• F-Secure Anti-Virus for Windows Servers 9.00
• F-Secure Anti-Virus for Citrix Servers 9.00
• F-Secure Email and Server Security 9.20
• F-Secure Server Security 9.20
• Solutions based on F-Secure Protection Service for Business Email and 
Server Security 9.20
• Solutions based on F-Secure Protection Service for Business Server 
Security 9.20
 
Mitigating Factors

Exploiting the vulnerability requires use of the IE web browser. On Windows 
Server 2003 servers, the “IE Enhanced Security Configuration” option (which 
is enabled by default) must also be disabled. The local server must run with 
local authentication in order for the attacker to run arbitrary SQL statements. 
No attacks have been reported in the wild.

Credit

F-Secure Corporation wants to thank Andrea Micalizzi (aka rgod) and HP’s Zero 
Day Initiative (ZDI) for reporting the issue.

Fix Available

Product				Versions       	Download
F-Secure Anti-Virus 		9.00 - 9.10	ftp://ftp.f-secure.com/support/hotfix/fsav-mse/FSAVMSE910-HF02.fsfix
for 						ftp://ftp.f-secure.com/support/hotfix/fsav-mse/FSAVMSE910-HF02.jar
Microsoft Exchange Server		
	
F-Secure Anti-Virus 		9.00		ftp://ftp.f-secure.com/support/hotfix/fsav-server/FSAVSRV900_HF09.fsfix
for Windows Servers				ftp://ftp.f-secure.com/support/hotfix/fsav-server/FSAVSRV900_HF09.jar

F-Secure Anti-Virus 		9.00		ftp://ftp.f-secure.com/support/hotfix/fsav-server/FSAVSRV900_HF09.fsfix
for Citrix Servers				ftp://ftp.f-secure.com/support/hotfix/fsav-server/FSAVSRV900_HF09.jar

F-Secure Email 			9.20		ftp://ftp.f-secure.com/support/hotfix/fsss/FSESS920-HF01.fsfix
and Server Security				ftp://ftp.f-secure.com/support/hotfix/fsss/FSESS920-HF01.jar

F-Secure Server Security	9.20		ftp://ftp.f-secure.com/support/hotfix/fsss/FSSS920-HF01.fsfix 
						ftp://ftp.f-secure.com/support/hotfix/fsss/FSSS920-HF01.jar

Solutions based on F-Secure 	9.20		Fix available in the 
Protection Service for				automatic update channel. 
Business (PSB) Email and 			No user actions needed.
Server Security	

Solutions based on F-Secure 	9.20		Fix available in the
Protection Service for 				automatic update channel.
Business (PSB) Server Security		  	No user actions needed.

Date Issued: 2013-04-24
Last Updated: 2013-04-24

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUX3TLe4yVqjM2NGpAQILnQ/9FAWwMGZDbwSx7g0O4inBFiHIVZVW0Fzi
M4PLodUxy6/bsmwC3lVsGUagXJlKWekWsM7TtWAte5+V/Kd5x1eywVeQGHBnofL/
qCBS074pZErYKL8UzDiJgzOkrGxqcH7X97iwu+7EDfNwvO3un+SKRI5+rZnIAeUk
hZiuOEd7SmDu0NNCN9ftSfmDuKLofPYzm9CtabyBQ5w5DCXQ+Kf1lwaMv5S5PagL
V8mw3hdpuHS3AI7Wb64oKEAjNQY8lLn4Mf+j8q7CoBBysITevfzGYh1rw6O8DcOM
ZFMQaPaTRZqeTYJN1M96Jx/Kfc2FxOHcPr/+Qt1gUv7mlRqlmLDQl/G720yfeTJm
A6b8XvhLoTf4a8yiQe2c2YaHi9rsdC6Ky1fhF8SNaoqW+pr7NeYlwKBm4kS0z/H0
hk/XbCMDF+McgxdVzHOqUbARDyaMpasla0nc9uldx/WgxUa71RSy5+bib2vLXC59
21uP3KQJ4fdfeo3K90gjhwG+grRjdMBf6PIIvnSnmoq9xkX3HY/eGm2vTYCgPcbi
OELtLXlUObW5fOqUBIZNPbhYPQBqATRHycxl6PpEouHFXvqPS2YHneLj66hdCcUy
x6tin/Mg4OCXDbRs+RnsqxqWRzIV7hX8JKAtLsJt14+5aKpPWkc4v6b+bpLjZgkp
iPNcRhvS72s=
=lvih
-----END PGP SIGNATURE-----