CVE-2023-47263
📋 TL;DR
A denial-of-service vulnerability in WithSecure antivirus products allows attackers to crash the antivirus engine by scanning specially crafted PE32 files. This affects multiple WithSecure endpoint protection products across Windows, Mac, and Linux platforms. The vulnerability can disrupt security monitoring and potentially allow malware to evade detection during the engine restart.
💻 Affected Systems
- WithSecure Client Security
- WithSecure Server Security
- WithSecure Email and Server Security
- WithSecure Elements Endpoint Protection
- WithSecure Client Security for Mac
- WithSecure Elements Endpoint Protection for Mac
- WithSecure Linux Security 64
- WithSecure Linux Protection
- WithSecure Atlant (formerly F-Secure Atlant)
📦 What is this software?
Atlant by Withsecure
Client Security by Withsecure
Client Security by Withsecure
Linux Protection by Withsecure
Linux Security 64 by Withsecure
Server Security by Withsecure
⚠️ Risk & Real-World Impact
Worst Case
Antivirus engine crashes, leaving systems unprotected while the service restarts, potentially allowing malware execution during the window of vulnerability.
Likely Case
Temporary denial of service where the antivirus engine stops scanning files until it automatically restarts, creating brief security gaps.
If Mitigated
Minimal impact with antivirus service quickly restarting and resuming protection, though brief scanning gaps may occur.
🎯 Exploit Status
Requires ability to place specially crafted PE32 file on target system and trigger antivirus scan. No authentication bypass needed for file placement if user has write access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched versions per product
Vendor Advisory: https://www.withsecure.com/en/support/security-advisories/cve-2023-47263
Restart Required: Yes
Instructions:
1. Review vendor advisory for specific patched versions. 2. Update affected WithSecure products to latest versions. 3. Restart systems or antivirus services to apply updates. 4. Verify engine version after update.
🔧 Temporary Workarounds
Temporary scanning exclusion
allConfigure antivirus to exclude scanning of suspicious PE32 files from untrusted sources
Configure via WithSecure management console: Add file path exclusions for suspicious directories
Enhanced monitoring
allMonitor antivirus service health and restart events
Set up alerts for antivirus service crashes or restarts
🧯 If You Can't Patch
- Implement application allowlisting to prevent execution of unknown PE32 files
- Enhance file integrity monitoring for PE32 files in sensitive directories
🔍 How to Verify
Check if Vulnerable:
Check WithSecure product version against affected versions listed in vendor advisoryCheck Version:
Check via WithSecure management console or local client interface for version informationVerify Fix Applied:
Verify antivirus engine version is updated to patched version and test scanning known safe PE32 files📡 Detection & Monitoring
Log Indicators:
- Antivirus engine crash events
- Service restart events
- Failed scan attempts on PE32 files
Network Indicators:
- Unusual file transfers of PE32 files to multiple endpoints
SIEM Query:
EventID: AntivirusEngineCrash OR ServiceRestart AND ProcessName: WithSecure*