CVE-2017-6466

HIGH

F-Secure Software Updater 2.20 - Unauthenticated Arbitrary Code Execution via Man-in-the-Middle File Replacement

Title source: llm
STIX 2.1

Description

F-Secure Software Updater 2.20, as distributed in several F-Secure products, downloads installation packages over plain http and does not perform file integrity validation after download. Man-in-the-middle attackers can replace the file with their own executable which will be executed under the SYSTEM account. Note that when Software Updater is configured to install updates automatically, it checks if the downloaded file is digitally signed by default, but does not check the author of the signature. When running in manual mode (default), no signature check is performed.

References (2)

Core 2
Core References
Mailing List, Third Party Advisory x_refsource_misc
http://seclists.org/fulldisclosure/2017/Mar/28
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/96784

Scores

CVSS v3 8.1
EPSS 0.0154
EPSS Percentile 71.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-20
Status published
Products (1)
f-secure/software_updater 2.20
Published Mar 11, 2017
Tracked Since Feb 18, 2026