lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <HE1PR09MB00735F0E2F7BB5654E17DC13A82E0@HE1PR09MB0073.eurprd09.prod.outlook.com>
Date: Wed, 8 Mar 2017 12:52:43 +0000
From: Martin Kolárik <MartinKolarik@...look.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] CVE-2017-6466 - Remote Code Execution under SYSTEM via MITM in
 F-Secure AV

CVE-2017-6466 - Remote Code Execution under SYSTEM via MITM in F-Secure AV
--------------------------------------------------------------------------

Summary
-------
Title: Remote Code Execution under SYSTEM via MITM in F-Secure AV
CVE: CVE-2016-9892
Vendor: F-Secure
Product: All products that include the software updater component
(https://www.f-secure.com/en/web/business_global/software-updater)
Publication Date: 2017-03-08
Fix: Not available - the vendor does not see this as a security problem
Discoverer: Martin Kolárik (@MaKolarik)

Description
-----------
Software Updater is a component used to download and install updates for
operating system and many 3rd party software products (a complete list can
be
found at
https://www.f-secure.com/documents/10192/406869/Software+Updater+-+Supported
+Products).
It downloads installation packages over HTTP protocol, with little or no
verification after downloading, and subsequently executes them under SYSTEM
account. This allows a remote attacker who can modify the packages during
downloading to gain a complete control of a target system.

Technical details
-----------------
Software Updater can be configured in two ways:
  a) Manual installation (default). System administrator logged into
     F-Secure Policy Manager Console can inspect a list of all available
     updates for managed computers, and select which updates will be
     installed. In this case, there is absolutely no verification after
     downloading and packages can be replaced with any executable.
  
  b) Automatic installation. Updates are downloaded and installed
     automatically when they become available. In this case, an option to
     only install signed packages is on by default. If this option is on,
     packages without signature are not installed automatically; instead,
     the installation command has to be issued manually from the Policy
     Manager Console (as if auto-updates were not enabled at all). Since
     not all vendors sign their packages, it is also possible to turn
     this verification off via Policy Manager Console.
  
     Even allowing only signed packages does not provide almost any
     protection, because the only thing Software Updater checks is if the
     package has a signature. It does not check by whom it was signed, nor
     when it was signed, so it is possible to replace it with any other
     executable, as long as it is also signed. In case the attacker is not
     able to sign their own code directly, they can use this vulnerability
     to install any publicly available software signed by its vendor, and
     subsequently exploit a vulnerability in that software instead.

Download attachment "smime.p7s" of type "application/pkcs7-signature" (6393 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ