Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2012.0152 Multiple vulnerabilities have been fixed in Sophos products 6 November 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Sophos Threat Detection Engine Sophos Anti-Virus for Windows Sophos Anti-Virus for Unix Sophos Anti-Virus for Mac OS X Sophos Anti-Virus for Linux Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Increased Privileges -- Existing Account Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade Member content until: Thursday, December 6 2012 Comment: A Metasploit payload demo exists as a proof of concept exploit of the PDF stack buffer overflow vulnerability present in the Sophos onaccess scanner. OVERVIEW Multiple vulnerabilities have been identified in Sophos products. [1] IMPACT The vendor has provided the following details regarding these vulnerabilities: "Integer overflow parsing Visual Basic 6 controls Description: A remote code execution vulnerability in how the Sophos Anti-Virus engine scans malformed Visual Basic 6 compiled files - Visual Basic 6 executables include metadata for GUIDs, Names, Paths, etc. Sophos Anti-Virus extracts some of this metadata when it finds a VB6 executable. The validation code for this metadata incorrectly handled integer overflows, which could lead to a heap overflow exploit. Affected product(s): Threat Detection Engine 3.35.1 and earlier" [1] "sophos_detoured_x64.dll ASLR bypass Description: An issue with the BOPS technology in Sophos Anti-Virus for Windows and how it interacts with Address Space Layout Randomisation (ASLR) on Windows Vista and later. Sophos BOPS protection requires most processes to load the Sophos_detoured_x64 DLL but, this DLL was not using ASLR and resulted in it being loaded at a static address, effectively bypassing the use of ASLR elsewhere in the product and increasing the opportunity for exploits. Affected product(s): Anti-Virus 9.x & Anti-Virus 10.x" [1] "Internet Explorer protected mode is effectively disabled by Sophos Description: An issue with how Sophos protection interacts with Internet Explorer's Protected Mode - Sophos installs a Layered Service Provider (LSP) into Internet Explorer, that loaded DLL files from writable directories. This effectively disabled Internet Explorer's protected mode, as legitimate DLLs could be altered or replaced and IE will still execute them. Affected product(s): Anti-Virus 10.x " [1] "Universal XSS Description: The Sophos web protection and web control Layered Service Provider (LSP) block page was found to include a flaw that could be exploited, by specially crafted web sites, to run Java code inserted in the URL query tags. Affected product(s): Anti-Virus 10.x " [1] "Memory corruption vulnerability in Microsoft CAB parsers Description: A vulnerability in the way the Sophos Anti-Virus engine handles specially crafted CAB files, which could cause the engine to corrupt memory -; There is an error in the way the process checks which compression algorithm is specified for the CFFolder structure. The error leads to the range check on the input data size being skipped, leading to a buffer overflow. Affected product(s): Threat Detection Engine 3.35.1 and earlier" [1] "RAR virtual machine standard filters memory corruption Description: A vulnerability in the way the Sophos Anti-Virus engine handled specially crafted RAR files, which could cause the engine to corrupt memory - RAR decompression includes a byte-code interpreting VM. The VM_STANDARD opcode takes a filter as an operand. These filters were not being handled correctly. Affected product(s): Threat Detection Engine 3.36.2 and earlier" [1] "Privilege escalation through network update service Description: A lack of access control on the Sophos updating directory that potentially allowed any user to insert their own file and have it executed - the Sophos network update service runs with NT AUTHORITY\SYSTEM privileges. This service loads modules from a directory that was writable with no privileges. A specifically crafted DLL file could be placed in the world-writable directory and loaded by the update service with SYSTEM privileges. Affected product(s): Anti-Virus 9.x & Anti-Virus 10.x" [1] "Stack buffer overflow decrypting PDF files Description: A remote code execution vulnerability in the way the Sophos Anti-Virus engine decrypts revision 3 PDF files that have been specially crafted with an over-length size attribute - Sophos Anti-Virus engine parses encrypted revision 3 PDF files by reading the encryption key contents onto a fixed length stack buffer of 5 bytes. A specifically crafted PDF file with the Length attribute greater than 5^8 would cause a buffer overflow. Affected product(s): Threat Detection Engine 3.36.2 and earlier" [1] MITIGATION The vendor recommends updating to the latest versions related products to correct these vulnerabilities. [1] REFERENCES [1] Tavis Ormandy finds vulnerabilities in Sophos Anti-Virus products http://www.sophos.com/en-us/support/knowledgebase/118424.aspx AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUJioCe4yVqjM2NGpAQK8EQ//bKZMOyfajb2lX1XIWZuATF3hRPFyc7Vf T8MkBi558/aKdNnNFLP8dYAMI1ey7crJwm5D2lRpH3ePiwspfc8Y7TyZ6To5xVIQ SIwS94GGiTe5woA4yShUvchF5mrSepy5lTWzlH1J5ZVYCcmsYOWh4F3P+fmluD/c hJEaD9lKQz2mU9McF7/e1re08Yli2HlXCcBfE7py3xihKqYqVghxRCTEL+oU/yLQ XssJzuGX2z+AiXIf8jprReZwpmlgaXJWVBoN2RffD7xooV8knTxODjDVIDjh6cMx 7PLqTDx6oqSAu12NE7rYX/rAO5VrBC5cEzRIpVziHFLxTVIg4VK3tL4C0aVXWKtE es6jto3yXflxpPOeV68BWLRhxVA/ZI9PEBTV2albR1i6lrtIth0wGKcn9dkpS/kC sXMkEY8OiReV0lRpb71X/Ev3X4nq6H4nIlD8I0BWlXpTa53WQjyT12rnfUZ5pzJJ Bf668kpHssaTCifnvMw9r8okEFs70k6+CbFzJl/RU9QhUvC2WLKGkdRQoTxUkZc5 IfzT/4tSIhSzsY7f7bqvI3V7Sae5pQ+j6KIVwJoun8Ugia7NGGlczlZpEL2JatcT RCHptwimWZopYGMM5wAc4MtZshd5xCnsoiTTt0SdYXKrMFRfKbdV6pYnFVBTn/UI 84o7b81RJ6A= =V2IN -----END PGP SIGNATURE-----