CVE-2023-42520
📋 TL;DR
This vulnerability allows remote attackers to crash the scanning engine in multiple WithSecure security products by sending specially crafted data files. Affected users include those running WithSecure Client Security, Server Security, Email and Server Security, Elements Endpoint Protection, Linux Security, and Atlant products. The crash occurs during the unpacking process of malicious files.
💻 Affected Systems
- WithSecure Client Security
- WithSecure Server Security
- WithSecure Email and Server Security
- WithSecure Elements Endpoint Protection
- WithSecure Client Security for Mac
- WithSecure Elements Endpoint Protection for Mac
- Linux Security 64
- Linux Protection
- WithSecure Atlant
📦 What is this software?
Atlant by Withsecure
Client Security by Withsecure
Client Security by Withsecure
Linux Protection by Withsecure
Linux Security 64 by Withsecure
Server Security by Withsecure
⚠️ Risk & Real-World Impact
Worst Case
Denial of service causing security scanning to fail, potentially allowing malware to bypass detection while the engine is down.
Likely Case
Temporary service disruption requiring restart of affected security components, creating a window of reduced protection.
If Mitigated
Minimal impact with automated restart mechanisms and layered security controls preventing exploitation.
🎯 Exploit Status
Exploitation requires delivering a crafted file to be scanned, which could be achieved through various file transfer methods. No authentication needed to trigger the crash once file reaches scanning engine.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched versions per product
Vendor Advisory: https://www.withsecure.com/en/support/security-advisories
Restart Required: Yes
Instructions:
1. Visit WithSecure security advisories page. 2. Identify your product and version. 3. Download and apply the latest security update. 4. Restart affected services or systems as required.
🔧 Temporary Workarounds
Disable automatic scanning of untrusted files
allConfigure scanning engines to skip or delay scanning of files from untrusted sources
Implement file type restrictions
allBlock or quarantine suspicious file types at network perimeter
🧯 If You Can't Patch
- Implement network segmentation to limit file delivery to security servers
- Deploy additional security layers (firewalls, IDS/IPS) to detect and block suspicious file transfers
🔍 How to Verify
Check if Vulnerable:
Check product version against affected versions list in vendor advisoryCheck Version:
Product-specific: Typically through product console or 'f-secure --version' type commandsVerify Fix Applied:
Verify product version has been updated to patched version and scanning engine remains stable during file processing tests📡 Detection & Monitoring
Log Indicators:
- Scanning engine crash logs
- Unexpected service restarts
- Failed scan attempts with specific file types
Network Indicators:
- Unusual file transfers to security servers
- Multiple failed scanning attempts from single source
SIEM Query:
source="withsecure" AND (event="crash" OR event="restart") AND process="scanning_engine"