(Cisco Issues Advisory for Cisco IronPort) Sophos Anti-Virus Bugs Let Remote Users Execute Arbitrary Code with Root Privileges and Conduct Cross-Site Scripting Attacks and Let Local Users Gain Elevated Privileges
SecurityTracker Alert ID: 1027743|
SecurityTracker URL: http://securitytracker.com/id/1027743
(Links to External Site)
Date: Nov 9 2012
Disclosure of user information, Execution of arbitrary code via local system, Execution of arbitrary code via network, Modification of system information, Modification of user information, Root access via local system, Root access via network|
Vendor Confirmed: Yes Exploit Included: Yes |
Several vulnerabilities were reported in Sophos Anti-Virus. A remote user can execute arbitrary code on the target system. A local user can obtain elevated privileges on the target system. A remote user can conduct cross-site scripting attacks. Cisco IronPort is affected.|
A remote user can create a specially crafted file that, when processed by the target anti-virus software, will trigger a buffer overflow or memory corruption error and execute arbitrary code on the target system. The code will run with root or System privileges.
Visual Basic executable, RAR, PDF, and Microsoft CAB file formats are affected.
On Windows-based systems, a local user can exploit a flaw in directory access permissions of the network update service to replace certain files and cause arbitrary code to be executed on the target system with System privileges.
The software does not properly filter HTML code from user-supplied input before displaying the input. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will run in the security context of an arbitrary site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
On Windows-based systems, the Sophos Buffer Overflow Protection System (BOPS) effectively disables the operating system's Address Space Layout Randomization (ASLR) protections.
On Windows-based systems, the software installs a Layered Service Provider (LSP) that loads modules from a low-integrity writable directory, which effectively disables Internet Explorer's protected mode.
The original advisory is available at:
Tavis Ormandy reported these vulnerabilities.
A remote user can execute arbitrary code on the target system with root or system privileges.|
A local user can obtain System privileges on the target system.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with an arbitrary site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Cisco has issued an advisory for Cisco IronPort, which is affected by these vulnerabilities.|
No solution for Cisco IronPort was available at the time of this entry.
Cisco has described configuration workarounds in their advisory.
The Cisco advisory is available at:
Access control error, Boundary error, Input validation error, Randomization error|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Subject: Cisco Security Advisory: Cisco Ironport Appliances Sophos Anti-virus Vulnerabilities|
-----BEGIN PGP SIGNED MESSAGE-----
Cisco Ironport Appliances Sophos Anti-virus Vulnerabilities
Advisory ID: cisco-sa-20121108-sophos
For Public Release 2012 November 9 03:00 UTC (GMT)
Cisco IronPort Email Security Appliances (ESA) and Cisco IronPort Web
Security Appliances (WSA) include versions of Sophos Anti-Virus that
contain multiple vulnerabilities that could allow an unauthenticated,
remote attacker to gain control of the system, escalate privileges, or
cause a denial-of-service (DoS) condition. An attacker could exploit
these vulnerabilities by sending malformed files to an appliance that
is running Sophos Anti-Virus. The malformed files could cause the
Sophos antivirus engine to behave unexpectedly.
As updates that address these vulnerabilities become available from
Sophos, Cisco is working to qualify and automatically provision them
through the Cisco Ironport ESA and WSA platforms.
A workaround that mitigates these vulnerabilities is available. This
advisory is available at the following link:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org
-----END PGP SIGNATURE-----
cust-security-announce mailing list
To unsubscribe, send the command "unsubscribe" in the subject of your message to firstname.lastname@example.org