CVE-2023-42522
📋 TL;DR
This vulnerability allows remote attackers to crash the scanning engine in multiple WithSecure security products by sending a specially crafted PE file containing a malformed import struct. Affected users include organizations running WithSecure endpoint protection, server security, and Linux security products across Windows, Mac, and Linux platforms.
💻 Affected Systems
- WithSecure Client Security
- WithSecure Server Security
- WithSecure Email and Server Security
- WithSecure Elements Endpoint Protection
- WithSecure Client Security for Mac
- WithSecure Elements Endpoint Protection for Mac
- Linux Security 64
- Linux Protection
- WithSecure Atlant
📦 What is this software?
Atlant by Withsecure
Client Security by Withsecure
Client Security by Withsecure
Linux Protection by Withsecure
Linux Security 64 by Withsecure
Server Security by Withsecure
⚠️ Risk & Real-World Impact
Worst Case
Denial of service causing scanning engine crash, potentially disabling real-time protection and leaving systems vulnerable to other attacks during the outage.
Likely Case
Temporary disruption of scanning services requiring service restart, with possible missed detections during downtime.
If Mitigated
Minimal impact with proper network segmentation and monitoring to detect and respond to scanning engine crashes.
🎯 Exploit Status
Exploitation requires sending a specially crafted PE file to trigger the parsing vulnerability, which is relatively straightforward for attackers with knowledge of PE file structures.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched versions
Vendor Advisory: https://www.withsecure.com/en/support/security-advisories
Restart Required: Yes
Instructions:
1. Check vendor advisory for specific patched versions. 2. Update all affected WithSecure products to latest versions. 3. Restart scanning services after update. 4. Verify update completion through management console.
🔧 Temporary Workarounds
Temporary scanning bypass
allConfigure scanning exclusions for PE files from untrusted sources (not recommended long-term)
🧯 If You Can't Patch
- Implement network segmentation to limit exposure of scanning services
- Monitor for scanning engine crashes and implement automated restart procedures
🔍 How to Verify
Check if Vulnerable:
Check product version against affected versions list in vendor advisoryCheck Version:
Check through WithSecure management console or product about dialogVerify Fix Applied:
Verify product version is updated beyond affected versions and scanning engine is running normally📡 Detection & Monitoring
Log Indicators:
- Scanning engine crash logs
- Unexpected service restarts
- Failed scan attempts
Network Indicators:
- Unusual PE file transfers to systems with scanning services
SIEM Query:
Search for 'scanning engine crash', 'service restart', or 'protection disabled' events in WithSecure logs