CVE-2022-38166 - Crashing F-Secure Endpoint Protection Remotely with Crafted Files

Cybersecurity defenders everywhere rely on endpoint protection software as their first line of defense. But what if that very software itself has a flaw that makes crashing it easy — even over the internet? In this exclusive post, we break down CVE-2022-38166, a vulnerability in F-Secure Endpoint Protection for Windows and macOS that lets attackers remotely crash the antivirus scanning engine using a crafted file. We'll lay out how it works, show real snippets of code that simulate the crash, and share how to stay protected.

What is CVE-2022-38166?

CVE-2022-38166 is a vulnerability in F-Secure Endpoint Protection (for Windows and macOS), where the aerdl.dll unpacker handler can crash if it tries to process a specially crafted malicious file. Before version Capricorn database 2022-11-22_07, the engine is vulnerable and can be triggered remotely — such as by emailing or dropping malicious files — leading to a Denial of Service (DoS). In effect, the antivirus engine crashes and users are left without active protection.

Impact: Remote Denial of Service (DoS)

- CVE: CVE-2022-38166
- Reference: F-Secure Security Advisory FSC-2022-3

How Does the Exploit Work?

Anytime F-Secure scans a file (from email, USB, download), it passes that file through various unpacker handlers in DLLs (dynamic-link libraries). One such library is aerdl.dll. If a file is crafted in a specific broken way that confuses this DLL, it will crash the scanner engine process — usually named fshoster32.exe or similar.

An attacker can email, upload or otherwise deliver a malicious file to the target running F-Secure.

- Once the scanner touches this file (on-disk, via email, or even over a network share), it will crash the antivirus engine.

Detailed Impact

- No code execution — the attacker can’t take over the victim, but they can leave them unprotected.

Example: Triggering the Crash (Simulated)

While the real sample is not public, research shows the crash is based on malformed archives or executables that the aerdl.dll tries to unpack.

Below is a Python snippet that creates a corrupted ZIP file, which is a common vector for antivirus engines (NOTE: This is a safe simulation, not the real exploit):

# Make a minimal broken ZIP file
with open("crashme.zip", "wb") as f:
    # Write valid header but empty content
    f.write(b'PK\x03\x04')   # ZIP local file header
    f.write(b'\x00' * 30)    # Minimal fields
    # Invalid size, triggers handling issue in some parsers
    f.write(b'\xFF' * 10)    # Corrupt data

print("Fake crash-me ZIP created. If scanned by vulnerable F-Secure, it may trigger a crash.")

> In true exploits, attackers may use advanced fuzzing tools to generate thousands of variants until one reliably crashes the handler.

Craft malicious file (e.g., specially corrupted ZIP or EXE).

2. Send the file to victim (email attachment, chat, web, or via USB/SMB).
3. Victim's F-Secure scans the file (automatically or manually), causing aerdl.dll to attempt to unpack it.

Engine crashes — F-Secure’s main process stops, sometimes restarts.

5. Protection is disabled until service recovers, possibly leaving the system open for further attacks.

Original References

- CVE-2022-38166 entry (NVD)
- WithSecure (formerly F-Secure) advisory FSC-2022-3
- SecurityWeek coverage

How to Defend Against this Vulnerability

- Update Immediately: Ensure F-Secure Capricorn database is at least 2022-11-22_07. Newer versions fix this issue.
- Restrict File Scanning: Limit exposure by configuring F-Secure to not automatically scan all network drives or emails until updated.
- Monitor Logs: If F-Secure scanning engines unexpectedly crash or become unavailable, check for potential exploitation.
- User Awareness: Warn users about unexpected files (especially ZIPs/exes) from unknown sources.

Wrap-Up

CVE-2022-38166 is a classic reminder that security software itself can become a target. Attackers only need to trick the antivirus into interacting with a broken file to knock it offline, potentially leaving systems unprotected. Updating to the latest F-Secure definitions is critical — and more broadly, always keeping endpoint security up-to-date is foundational cyber hygiene.

Stay safe. Update your protections. Know your CVEs.

*Exclusive content by AI, based on details from official sources and responsible disclosure practices. For further technical deep dives and tips, follow the links above.*

Timeline

Published on: 11/25/2022 15:15:00 UTC
Last modified on: 11/30/2022 21:10:00 UTC