silversurfer

Level 52
Verified
Trusted
Content Creator
Malware Hunter
A critical vulnerability affecting many consumer and corporate products from F-Secure could have been exploited for remote code execution using specially crafted archive files.

A researcher who uses the online moniker “landave” has identified several vulnerabilities related to 7-Zip, an open source file archiver used by many commercial products. Some of the security holes impact 7-Zip and products using it, while others are specific to the third-party implementations of 7-Zip.

Some of the vulnerabilities, disclosed in 2017, impact Bitdefender products. On Tuesday, landave published a blog post describing how one of the 7-Zip bugs he identified last year, namely CVE-2018-10115, can be used to achieve remote code execution on most F-Secure endpoint protection products for Windows.

The details of the vulnerability have been disclosed after F-Secure rolled out a patch via its automatic update mechanisms on May 22. Users don’t need to take any action, unless they explicitly disabled automatic updates.

The list of impacted products includes F-Secure SAFE for Windows, Client Security, Client Security Premium, Server Security, Server Security Premium, PSB Server Security, Email and Server Security, Email and Server Security Premium, PSB Email and Server Security, PSB Workstation Security, Computer Protection, and Computer Protection Premium.

Exploiting the vulnerability against 7-Zip directly was relatively easy and it only required the targeted user to extract a specially crafted RAR file. However, in the case of F-Secure products, exploitation is more difficult due to the use of the Address Space Layout Randomisation (ASLR) memory protection system.

However, landave has found a way to bypass the protection and achieve code execution via malicious RAR files. The attacker could have sent the malicious file to the victim attached to an email, but this attack scenario required that the recipient manually trigger a scan of the file.

A more efficient method involved getting the victim to visit a malicious web page set up to automatically download the exploit file.

“It turns out that F-Secure’s products intercept HTTP traffic and automatically scan files with up to 5MB in size. This automatic scan includes (by default) the extraction of compressed files. Hence, we can deliver our victim a web page that automatically downloads the exploit file. To do this silently (preventing the user even from noticing that a download is triggered), we can issue an asynchronous HTTP request,” the researcher explained.

In its own advisory, F-Secure said the flaw could have been exploited to take complete control of a system, but there was no evidence of exploitation before the release of the patch.

The security firm also pointed out that some user interaction was required for the exploit to work and noted that archive scanning is only triggered if the “Scan inside compressed files” option is enabled.

F-Secure has paid out a bug bounty, but the amount has not been disclosed. According to its Vulnerability Rewards Program page, the company offers up to €5,000 ($5,800) for vulnerabilities that allow remote code execution on the client software.

Source: Flaw in F-Secure Products Allowed Code Execution via Malicious Archives | SecurityWeek.Com
 

upnorth

Level 34
Verified
Trusted
Content Creator
Thanks @silversurfer for the update. Glad to see that F-Secure is on their toe and fixed it and I also saw Pavlov fixed this issue in 7-Zip with updates from version 18.01. The latest version on 7-Zip is now 18.05 ( 2018-05-01 ). This again proves that keeping ones software up to date is just as important to eat your vegetables. :geek:

Interesting bypass vector and makes me wonder if it's also possible with other archive software as personal I don't use 7-Zip and could this have been used against the non full version of Safe but I couldn't get in direct contact with F-Secure today as it's too late now but I will try tomorrow.
 

Aerdian

Level 3
Verified
Thanks @silversurfer for the update. Glad to see that F-Secure is on their toe and fixed it and I also saw Pavlov fixed this issue in 7-Zip with updates from version 18.01. The latest version on 7-Zip is now 18.05 ( 2018-05-01 ). This again proves that keeping ones software up to date is just as important to eat your vegetables. :geek:

Interesting bypass vector and makes me wonder if it's also possible with other archive software as personal I don't use 7-Zip and could this have been used against the non full version of Safe but I couldn't get in direct contact with F-Secure today as it's too late now but I will try tomorrow.
There are so many people who don't update software frequently enough and those are the people who are most vulnerable to vulnerabilities :(
 

Slyguy

Level 42
Verified
Thanks @silversurferInteresting bypass vector and makes me wonder if it's also possible with other archive software as personal I don't use 7-Zip and could this have been used against the non full version of Safe but I couldn't get in direct contact with F-Secure today as it's too late now but I will try tomorrow.
You don't have to use 7zip to be vulnerable to this. Many companies use the 7zip libraries and hence, are fully vulnerable.

This exploit from the sounds of it, generally seems to mean that simply surfing any website could allow a total system compromise. This isn't my field, but it sounds bad, and I would be horrified to have had something this nefarious sitting around for so long.
 

upnorth

Level 34
Verified
Trusted
Content Creator
No need to get horrified IMO and especially if one use several product layers of protection and a tiny bit of common sense and in this specific case it wasn't just a plain website visit that could sink your system.
User interaction is required prior to successful exploitation.
fsc-2018-2

Exploit Video

Updates general covers alot but ofcourse not everything but I'm way too old to get spooked 24/7 and I don't like to click like crazy ( uninstall/install/uninstall/install ) just to find out that Oops that product also have some issues. F-Secure fixed it and I'm satisfied with that. If they didn't I would be annoyed.
 
Last edited:

Slyguy

Level 42
Verified
You missed the part where it said the payload could be simply downloaded on a backchannel HTTP, then the AV scanner would scan it, and the payload would be delivered..
 

Slyguy

Level 42
Verified
Thanks! Yeah your correct but what about the " interaction "?
Interaction was noted in the first part. Later he explained how without interaction it could be used to totally control a system. That is where those async background HTTP which downloads the payload RAR in the background which then triggers the AV to scan it and initiates the exploit and system compromise. All without user interaction.

That's why I find it sort of horrifying and would feel like dirt having had something this ridiculous hanging around on my systems. Extremely discouraging for F-Secure, a company that bills themselves as being more proactive and secure. Ugh.
 

Slyguy

Level 42
Verified
'No evidence' doesn't mean it wasn't used, it just means they haven't been given conclusive proof it was used.

Based on those vault-7 leaks and such, a plethora of exploits like this were hoarded by the CIA and NSA I wouldn't be surprised if they knew about it.
 

Lord Ami

Level 19
Verified
Trusted
Malware Hunter
Fortunately for F-Secure product users - automatic updating has no "OFF" toggle if you will.
Hence most of the client software must have been patched in time.

But of course the scale of the issue was/is ridiculously big and easy to exploit.
 

upnorth

Level 34
Verified
Trusted
Content Creator
Fortunately for F-Secure product users - automatic updating has no "OFF" toggle if you will.
Hence most of the client software must have been patched in time.

But of course the scale of the issue was/is ridiculously big and easy to exploit.
I agree but I saw something now that raised my eyebrows and I strongly belive it's important to mention.
“It turns out that F-Secure’s products intercept HTTP traffic and automatically scan files with up to 5MB in size. This automatic scan includes (by default) the extraction of compressed files. Hence, we can deliver our victim a web page that automatically downloads the exploit file. To do this silently (preventing the user even from noticing that a download is triggered), we can issue an asynchronous HTTP request,” the researcher explained.
I can confirm that F-Secure SAFE, Antivirus and the Client Security products settings for scan on compressed files is actually OFF ( by default ) not ON and always been. F-Secures statement is cristal clear :
Note: Compressed files are not scanned by default.
F-Secure Help Center

F-Secure Help Center

IMO this raise serious questions on the testing methodology created and reported by this " researcher " and also how does a website visit with this exploit automatic infect a machine with F-Secure if the compressed file does Not get extracted and scanned? Correct me if I'm wrong.
 
Last edited: