Advisory: Sophos Anti-Virus for Windows 2000+, denial of service vulnerability

This article describes a Denial of Service (DoS) vulnerability affecting Sophos Anti-Virus for Windows 2000+, version 7.x . This has now been fixed.

All earlier versions of Sophos Anti-Virus for Windows are unaffected. Sophos Anti-Virus for other platforms is also unaffected.

The vulnerability can only be exploited if  you have 'Block suspicious behavior' detection enabled in Sophos Anti-Virus, and if basic security precautions are not adhered to. It is not possible to remotely execute code through this vulnerability.

Sophos has seen no example of any virus or other malware attempting to exploit this vulnerability.

What action is Sophos taking?

Fixing the vulnerability requires a change of driver within Sophos Anti-Virus for Windows, version 7.x. This would require a reboot to endpoint computers to become effective.  Sophos has reviewed the vulnerability and determined that our customers are more likely to be inconvenienced by the fix than the vulnerability itself.  As a result, there is no committed date for a fix as yet, and Sophos will look to release the fix at the same time as a reboot is required to benefit from additional functionality.

Should malware be released which could exploit this vulnerability, Sophos will reconsider the release of the fix and will write detection for that malware, thereby prevent the potential for a crash.

What to do

There are a number of actions that you can take to avoid the vulnerability:

• The vulnerability can only be exploited if end-users allow Active X or Java Applets to run within a web browser.  Default security settings for most web browsers will prevent this code being run automatically on visiting a compromised website. End-users should follow standard security precautions and only allow such components to run if they trust the website they are using.
• Should the administrator wish, they can turn off the 'Block suspicious behaviour setting' in the HIPs runtime behavior analysis dialog box. For more information, refer to section 14.2 in the Network startup guide

You should upgrade to versions that are unaffected when they are made available. Customers using EM Library and Sophos small business solutions will receive these updates automatically.

Technical information
When using Runtime Behavioral Analysis Sophos Anti-Virus hooks calls to open registry keys and to write to the registry. The parameters to these hooked calls include pointers to user-mode memory, and these pointers may or may not point to valid user-mode memory. If the driver accesses memory that is not valid this causes a crash.

The vulnerability can only be exploited if HIPs Runtime Behavioral Analysis|Suspicious Behavior Detection is turned on and only if basic security precautions are not adhered to. If the vulnerability is exploited then a crash is caused and the endpoint will need to be rebooted. 

Sophos thanks Core Security for their assistance in identifying this vulnerability.