F-Secure has fixed a severe vulnerability in its home and enterprise antivirus products that could have allowed an attacker to execute malicious code on the user’s machine and take over affected PCs
The actual vulnerability doesn’t affect F-Secure directly, but the 7-Zip file archiving software, which F-Secure uses to decompress archives, scan them for threats, and repackage the original file.
Vulnerability really resides in 7-Zip
A security researcher going by the pseudonym of “landave” discovered this particular vulnerability (CVE-2018-10115) in March and worked with 7-Zip team to fix the problem.
This was landave’s third vulnerability affecting 7-Zip after he previously also discovered CVE-2017-17969 and CVE-2018-5996. Similarly, the researcher found two 7-Zip-related bugs affecting the Bitdefender antivirus last year, in 2017 [1, 2].
For obvious reasons, as soon as the researcher found this latest 7-Zip bug, he looked for another antivirus product that could also be affected, and he noticed that F-Secure’s line of antivirus products was susceptible to his latest discovery.
Vulnerability exploited via poisoned RAR file
According to a technical write-up explaining the 7-Zip vulnerability in more detail, the 7-Zip bug can be exploited by creating a malformed RAR archive that when decompressed triggers the execution of malicious code on a user’s computer.
Since F-Secure antivirus products automate some of these file decompression operations during their scanning procedure, exploiting this bug was as trivial as tricking a malicious user into accessing a malicious URL that initiated a file download.
Landave says that F-Secure products will automatically scan every newly downloaded file that’s under 5MB in size, meaning that once the download of the malicious RAR file finishes, the malicious code inside the RAR exploits CVE-2018-10115 and runs malicious operations on the user’s computer.
Exploit chain bypasses ASLR
The researcher says that even if F-Secure implemented Address Space Layout Randomisation (ASLR), a security feature to prevent such exploits, he was able to find a bypass that would allowed him to run the attack regardless.
However, the issue was privately reported to the F-Secure team via the company’s bug bounty program, and the company released an update to all affected anti-virus products on May 22.
F-Secure users don’t have to take any action to receive this update unless they’ve turned off the auto-update feature. A list of affected products is included in this F-Secure security advisory. Only F-Secure for Windows versions were affected, and not the company’s Mac and Linux products.
Furthermore, users can disable the “Scan inside compressed files (zip, arj, lzh, …)” option to prevent the antivirus from looking inside archived files.
We’ve patched a serious vulnerability in our Windows Endpoint Protection products. It sucks to have vulns, but we’re happy it was reported to us via our bug bounty program by @0xlandave. Thanks! https://t.co/Awxbuk8scm
— Mikko Hypponen (@mikko) June 7, 2018
Taking over PCs via malformed archived files is not a novel concept. A Google Project Zero security researcher showed similar exploits in a slew of antivirus products in the past two-three years, with the latest one aimed at Windows Defender.