Tavis Ormandy finds vulnerabilities in Sophos Anti-Virus products

  • Article ID: 118424
  • Rating:
  • 21 customers rated this article 4.7 out of 6
  • Updated: 20 Dec 2013

Sophos continually improves the protection delivered by our products with regular updates, and we always recommend that customers upgrade to the latest version to get the best protection.

As a security company, keeping our customers safe is our primary responsibility. Improving protection is key but, we also continually improve the security of our own products, including working with independent security researchers to achieve this.

In this case, Sophos has been working with Tavis Ormandy, who approached Sophos with a number of vulnerabilities that he had discovered after examining our endpoint protection product.

Known to apply to the following Sophos product(s) and version(s)
Differs per vulnerability. See tables below for details. 

Sophos believes in responsible disclosure. We appreciate the help from Tavis Ormandy, and others like him in the research community, in working with us to make our products stronger and more secure.  The specific vulnerabilities that he reported are:

  1. Integer overflow parsing Visual Basic 6 controls
  2. sophos_detoured_x64.dll ASLR bypass
  3. Internet Explorer protected mode is effectively disabled by Sophos
  4. Universal XSS
  5. Memory corruption vulnerability in Microsoft CAB parsers
  6. RAR virtual machine standard filters memory corruption
  7. Privilege escalation through network update service
  8. Stack buffer overflow decrypting PDF files

More recently, Mr Ormandy provided examples of other specially crafted files (with no associated vulnerabilities) which would cause the Sophos Anti-Virus engine to behave unexpectedly if scanned. A new version of the Anti-Virus engine, to better handle these types of files, will begin rolling out to Sophos customers on November 28th 2012.

If you are using a Sophos gateway security product (i.e., PureMessage for UNIX, Sophos UTM, or a web/email appliance) we have released Sophos Anti-Virus version 4.83 to gateway security products to address all relevant vulnerabilities listed below. For details see article 118522.

Recommended product versions

Shown below is a table to quickly advise what minimum product version we recommend.  Not only will this resolve all relevant vulnerabilities listed above, but also provides best protection.

Platform Recommended Product
Windows 2000+ 10.2.1 / 10.0.9 / 9.7.8 / 9.5.7
Mac OS X 8.0.8
Managed Linux/UNIX v9 9.0.0
Managed Linux/UNIX v7
7.5.11
Unmanaged Linux/UNIX 4.83.0

†If you are running Sophos Anti-Virus for Windows 10.0.9 you have all fixes except for the Internet Explorer protected mode issue, which will be addressed in Sophos Anti-Virus for Windows 10.0.10 in early December.
‡9.x are 'Extended Maintenance' packages that are currently scheduled for phased roll-out in December.

If you have a gateway product you should check the engine version and ensure it matches the recommended:

Platform Version
Sophos Web Appliance 2012.11.8.4830003
Sophos Email Appliance 483000.0.20121108.1256
Sophos UTM 4.83.0
PureMessage for UNIX 4.83.0

I cannot upgrade to the recommended version, what should I do?

If you have computers running Windows 2000/XP/2003/Vista/7/2008/2008 R2/8 and feel you are unable to upgrade to the recommended product, please contact Technical Support or your account manager to discuss ways to overcome the upgrade issues.

How do I upgrade to the recommended version?

Ensure your Sophos Update Manager is subscribed to the software package labeled 'Recommended' as described in our article: Managing your software subscriptions in Enterprise Console.

 

Details of vulnerabilities

Integer overflow parsing Visual Basic 6 controls
Description: A remote code execution vulnerability in how the Sophos Anti-Virus engine scans malformed Visual Basic 6 compiled files - Visual Basic 6 executables include metadata for GUIDs, Names, Paths, etc. Sophos Anti-Virus extracts some of this metadata when it finds a VB6 executable. The validation code for this metadata incorrectly handled integer overflows, which could lead to a heap overflow exploit.
Affected product(s) Threat Detection Engine 3.35.1 and earlier
Fixed in Threat Detection Engine 3.36.2 and
Anti-Virus for Unix 4.82
First reported to us: September 10th 2012
Days until fix was released: 42
Roll-out fix completed on: October 22nd 2012
Exploit seen in the wild? No


sophos_detoured_x64.dll ASLR bypass
Description: An issue with the BOPS technology in Sophos Anti-Virus for Windows and how it interacts with Address Space Layout Randomisation (ASLR) on Windows Vista and later. Sophos BOPS protection requires most processes to load the Sophos_detoured DLL on 32bit / 64bit systems but, this DLL was not using ASLR and resulted in it being loaded at a static address, effectively bypassing the use of ASLR elsewhere in the product and increasing the opportunity for exploits.
Affected product(s) Anti-Virus 9.x (when running on Windows Vista and later)
Anti-Virus 10.x (when running on Windows Vista and later)
Fixed in Anti-Virus 10.2.0
Anti-Virus 10.0.9
Anti-Virus 9.7.8
Anti-Virus 9.5.7
First reported to us: September 10th 2012
Days until fix was released: 42
Roll-out fix completed on: October 22nd 2012
Exploit seen in the wild? No


Internet Explorer protected mode is effectively disabled by Sophos
Description: An issue with how Sophos protection interacts with Internet Explorer's Protected Mode - Sophos installs a Layered Service Provider (LSP) into Internet Explorer, that loaded DLL files from writable directories. This effectively disabled Internet Explorer's protected mode, as legitimate DLLs could be altered or replaced and IE will still execute them.
Affected product(s) Anti-Virus 10.x
Fixed in Anti-Virus 10.2.1
Anti-Virus 10.0.10
First reported to us: September 10th 2012
Days until fix was released: 56
Roll-out fix commenced on: November 5th 2012 for 10.2.1
Early December for 10.0.10
Exploit seen in the wild? No


Universal XSS
Description: The Sophos web protection and web control Layered Service Provider (LSP) block page was found to include a flaw that could be exploited, by specially crafted web sites, to run JavaScript code inserted in the URL query tags.
Affected product(s) Anti-Virus 10.x
Fixed in Anti-Virus 10.0.9
Anti-Virus 10.2.0
First reported to us: September 10th 2012
Days until fix was released: 42
Roll-out fix completed on: October 22nd 2012
Exploit seen in the wild? No


Memory corruption vulnerability in Microsoft CAB parsers
Description: A vulnerability in the way the Sophos Anti-Virus engine handles specially crafted CAB files, which could cause the engine to corrupt memory -; There is an error in the way the process checks which compression algorithm is specified for the CFFolder structure. The error leads to the range check on the input data size being skipped, leading to a buffer overflow.
Affected product(s) Threat Detection Engine 3.35.1 and earlier
Fixed in Threat Detection Engine 3.36.2
Anti-Virus for Unix 4.82
First reported to us: September 10th 2012
Days until fix was released: 42
Roll-out fix completed on: October 22nd 2012
Exploit seen in the wild? No


RAR virtual machine standard filters memory corruption
Description: A vulnerability in the way the Sophos Anti-Virus engine handled specially crafted RAR files, which could cause the engine to corrupt memory - RAR decompression includes a byte-code interpreting VM. The VM_STANDARD opcode takes a filter as an operand. These filters were not being handled correctly.
Affected product(s) Threat Detection Engine 3.36.2 and earlier
Fixed in Threat Detection Engine 3.37.2
Threat Detection Engine 3.37.10 (used in Anti-Virus for Mac OS X 8.08)
Threat Detection Engine 3.37.20 (used in Anti-Virus for Linux 9)
Anti-Virus for Unix 4.83
First reported to us: September 10th 2012
Days until fix was released: 56
Roll-out fix commenced on: November 5th 2012
Exploit seen in the wild? No


Privilege escalation through network update service
Description: A lack of access control on the Sophos updating directory that potentially allowed any user to insert their own file and have it executed - the Sophos network update service runs with NT AUTHORITY\SYSTEM privileges. This service loads modules from a directory that was writable with no privileges. A specifically crafted DLL file could be placed in the world-writable directory and loaded by the update service with SYSTEM privileges.
Affected product(s) Anti-Virus 9.x
Anti-Virus 10.0.3
Fixed in Anti-Virus 9.5.6
Anti-Virus 9.7.7
Anti-Virus 10.0.4+
First reported to us: March 15th 2012
Days until fix was released: 54
Roll-out fix completed on: May 8th 2012
Exploit seen in the wild? No


Stack buffer overflow decrypting PDF files
Description: A remote code execution vulnerability in the way the Sophos Anti-Virus engine decrypts revision 3 PDF files that have been specially crafted with an over-length size attribute - Sophos Anti-Virus engine parses encrypted revision 3 PDF files by reading the encryption key contents onto a fixed length stack buffer of 5 bytes. A specifically crafted PDF file with the Length attribute greater than 5^8 would cause a buffer overflow.
Affected product(s) Threat Detection Engine 3.36.2 and earlier
Fixed in Threat Detection Engine 3.37.2
Threat Detection Engine 3.37.10 (used in Anti-Virus for Mac OS X 8.08)
Threat Detection Engine 3.37.20 (used in Anti-Virus for Linux 9)
Anti-Virus for Unix 4.83
First reported to us: October 5th 2012
Days until fix was released: 31
Roll-out fix commenced on: November 5th 2012
Exploit seen in the wild? No


 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments