Vulnerability Description
F-Secure Software Updater 2.20, as distributed in several F-Secure products, downloads installation packages over plain http and does not perform file integrity validation after download. Man-in-the-middle attackers can replace the file with their own executable which will be executed under the SYSTEM account. Note that when Software Updater is configured to install updates automatically, it checks if the downloaded file is digitally signed by default, but does not check the author of the signature. When running in manual mode (default), no signature check is performed.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| F-Secure | Software Updater | 2.20 |
Related Weaknesses (CWE)
References
- http://seclists.org/fulldisclosure/2017/Mar/28Mailing ListThird Party Advisory
- http://www.securityfocus.com/bid/96784Third Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2017/Mar/28Mailing ListThird Party Advisory
- http://www.securityfocus.com/bid/96784Third Party AdvisoryVDB Entry
FAQ
What is CVE-2017-6466?
CVE-2017-6466 is a vulnerability with a CVSS score of 8.1 (HIGH). F-Secure Software Updater 2.20, as distributed in several F-Secure products, downloads installation packages over plain http and does not perform file integrity validation after download. Man-in-the-m...
How severe is CVE-2017-6466?
CVE-2017-6466 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-6466?
Check the references section above for vendor advisories and patch information. Affected products include: F-Secure Software Updater.