SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Embedded Server/Appliance)  >   Cisco Email Security Appliance Vendors:   Cisco
(Cisco Issues Advisory for Cisco IronPort) Sophos Anti-Virus Bugs Let Remote Users Execute Arbitrary Code with Root Privileges and Conduct Cross-Site Scripting Attacks and Let Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1027743
SecurityTracker URL:  http://securitytracker.com/id/1027743
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 9 2012
Impact:   Disclosure of user information, Execution of arbitrary code via local system, Execution of arbitrary code via network, Modification of system information, Modification of user information, Root access via local system, Root access via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   Several vulnerabilities were reported in Sophos Anti-Virus. A remote user can execute arbitrary code on the target system. A local user can obtain elevated privileges on the target system. A remote user can conduct cross-site scripting attacks. Cisco IronPort is affected.

A remote user can create a specially crafted file that, when processed by the target anti-virus software, will trigger a buffer overflow or memory corruption error and execute arbitrary code on the target system. The code will run with root or System privileges.

Visual Basic executable, RAR, PDF, and Microsoft CAB file formats are affected.

On Windows-based systems, a local user can exploit a flaw in directory access permissions of the network update service to replace certain files and cause arbitrary code to be executed on the target system with System privileges.

The software does not properly filter HTML code from user-supplied input before displaying the input. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will run in the security context of an arbitrary site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

On Windows-based systems, the Sophos Buffer Overflow Protection System (BOPS) effectively disables the operating system's Address Space Layout Randomization (ASLR) protections.

On Windows-based systems, the software installs a Layered Service Provider (LSP) that loads modules from a low-integrity writable directory, which effectively disables Internet Explorer's protected mode.

The original advisory is available at:

https://lock.cmpxchg8b.com/sophailv2.pdf

Tavis Ormandy reported these vulnerabilities.

Impact:   A remote user can execute arbitrary code on the target system with root or system privileges.

A local user can obtain System privileges on the target system.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with an arbitrary site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:   Cisco has issued an advisory for Cisco IronPort, which is affected by these vulnerabilities.

No solution for Cisco IronPort was available at the time of this entry.

Cisco has described configuration workarounds in their advisory.

The Cisco advisory is available at:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121108-sophos

Cause:   Access control error, Boundary error, Input validation error, Randomization error

Message History:   This archive entry is a follow-up to the message listed below.
Nov 6 2012 Sophos Anti-Virus Bugs Let Remote Users Execute Arbitrary Code with Root Privileges and Conduct Cross-Site Scripting Attacks and Let Local Users Gain Elevated Privileges



 Source Message Contents

Subject:  Cisco Security Advisory: Cisco Ironport Appliances Sophos Anti-virus Vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Cisco Ironport Appliances Sophos Anti-virus Vulnerabilities

Advisory ID: cisco-sa-20121108-sophos

Revision 1.0

For Public Release 2012 November 9 03:00  UTC (GMT)
- ----------------------------------------------------------------------

Summary
=======

Cisco IronPort Email Security Appliances (ESA) and Cisco IronPort Web
Security Appliances (WSA) include versions of Sophos Anti-Virus that
contain multiple vulnerabilities that could allow an unauthenticated,
remote attacker to gain control of the system, escalate privileges, or
cause a denial-of-service (DoS) condition. An attacker could exploit
these vulnerabilities by sending malformed files to an appliance that
is running Sophos Anti-Virus. The malformed files could cause the
Sophos antivirus engine to behave unexpectedly.

As updates that address these vulnerabilities become available from
Sophos, Cisco is working to qualify and automatically provision them
through the Cisco Ironport ESA and WSA platforms.

A workaround that mitigates these vulnerabilities is available. This
advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121108-sophos 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org

iF4EAREIAAYFAlCcc5kACgkQUddfH3/BbToP4gD9EAi0HThOKyN0FiypwUcOmL8Y
b99aEPPaiqLIhNwifncA/2ijY0H+wz0TPPBbTywNoXjlgor+1AZqzzIXEOEndiMf
=6YeL
-----END PGP SIGNATURE-----
_______________________________________________
cust-security-announce mailing list
cust-security-announce@cisco.com
To unsubscribe, send the command "unsubscribe" in the subject of your message to cust-security-announce-leave@cisco.com
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC