November 2005
F-Secure - Two Security Bulletins
ID: 00990
Ref: 928/05
Date: 07 November 2005:11:19:27
Version: 1
Title: F-Secure - Two Security Bulletins
Abstract:
Vendors affected: F-Secure
Operating systems affected: F-Secure
Applications affected: F-Secure
Title
=====
F-Secure - Two Security Bulletins:
1. Directory Traversal Vulnerability in F-Secure Anti-Virus for Microsoft Exchange
and F-Secure Internet Gatekeeper [FSC-2005-02]
2. Local root vulnerability in F-Secure Internet Gatekeeper for Linux and F-Secure
Anti-Virus Linux Gateway 2005 [FSC-2005-03]
Detail
======
F-Secure has recently issued two security bulletins. They can be viewed at the
following URLs:
1. A limited directory traversal vulnerability can be exploited by bypassing the
Web Console authentication. It is possible to gain a read access to a file on
the local disk from allowed hosts. By default the connections are only allowed
from the local host. To solve the problem apply the appropriate hotfix.
http://www.f-secure.com/security/fsc-2005-2.shtml
2. Local user can elevate privileges to root by calling scripts installed by
the product. The scripts are world executable and have the SUID bit enabled.
The severity of the issue is lowered if the product has been installed to a
dedicated server that does not have any regular user accounts.
http://www.f-secure.com/security/fsc-2005-3.shtml