CVE-2017-6466 - Remote Code Execution under SYSTEM via MITM in F-Secure AV -------------------------------------------------------------------------- Summary ------- Title: Remote Code Execution under SYSTEM via MITM in F-Secure AV CVE: CVE-2016-9892 Vendor: F-Secure Product: All products that include the software updater component (https://www.f-secure.com/en/web/business_global/software-updater) Publication Date: 2017-03-08 Fix: Not available - the vendor does not see this as a security problem Discoverer: Martin Kolarik (@MaKolarik) Description ----------- Software Updater is a component used to download and install updates for operating system and many 3rd party software products (a complete list can be found at https://www.f-secure.com/documents/10192/406869/Software+Updater+-+Supported+Products). It downloads installation packages over HTTP protocol, with little or no verification after downloading, and subsequently executes them under SYSTEM account. This allows a remote attacker who can modify the packages during downloading to gain a complete control of a target system. Technical details ----------------- Software Updater can be configured in two ways: a) Manual installation (default). System administrator logged into F-Secure Policy Manager Console can inspect a list of all available updates for managed computers, and select which updates will be installed. In this case, there is absolutely no verification after downloading and packages can be replaced with any executable. b) Automatic installation. Updates are downloaded and installed automatically when they become available. In this case, an option to only install signed packages is on by default. If this option is on, packages without signature are not installed automatically; instead, the installation command has to be issued manually from the Policy Manager Console (as if auto-updates were not enabled at all). Since not all vendors sign their packages, it is also possible to turn this verification off via Policy Manager Console. Even allowing only signed packages does not provide almost any protection, because the only thing Software Updater checks is if the package has a signature. It does not check by whom it was signed, nor when it was signed, so it is possible to replace it with any other executable, as long as it is also signed. In case the attacker is not able to sign their own code directly, they can use this vulnerability to install any publicly available software signed by its vendor, and subsequently exploit a vulnerability in that software instead.