In this section

• Home
• Support
• Knowledgebase
• Articles

Online support

• Knowledgebase
• Virus disinfection

Product maintenance

• Downloads and updates
• Documentation
• Software lifecycle

Contact support

• Talk to an expert
• Send a sample
• Email us

Support services

• Overview
• Technical Support
• Professional Services
• Technical Training

Advisory: Sophos Anti-Virus fuzzed CAB archive vulnerability reported

This article describes a Malformed Archive File vulnerability within all Sophos Anti-virus products and products using the Sophos virus detection engine.

There are no known exploits of these vulnerabilities at the time of publication.

Malformed Archive File vulnerability

When scanned, handcrafted “fuzzed” CAB archive files were not being processed appropriately by the virus engine, so that a segmentation fault could be caused. This fault is only caused when CAB archive scanning is turned on.  Archive scanning is turned off with Sophos Anti-virus default settings.

Should archive scanning be turned on, the most likely impact of this vulnerability is that Sophos Anti-Virus will either fail gracefully resulting in a scan failing prematurely with an error message, or it may crash depending upon the design of the product and the platform on which it is running.

Within a gateway application, a crash could be used to generate a Denial of Service (DoS) attack.  Whilst there is no evidence to demonstrate this, it is also theoretically possible that the vulnerability could allow arbitrary code to be executed remotely.

What to do

The vulnerability has been removed from all versions of Sophos Anti-Virus running the virus engine, version 2.82.1 and above. Versions of Sophos products incorporating the 2.82.1 virus engine include:

• Sophos Anti-Virus for Windows 7.6.3
• Sophos Anti-Virus for Windows NT/9x 4.7.18.
• Sophos Anti-Virus for OS X 4.9.18
• Sophos Anti-Virus for Linux 6.4.5
• Sophos Anti-Virus for UNIX 7.0.5
• Sophos Anti-Virus for Unix and Netware 4.37.0

Customers using EM Library and Sophos small business solutions will have received these updates automatically between 16th and 18th December 2008.

1. Check that you have the latest version of Sophos Anti-Virus on your computers.
2. If necessary update to ensure you have virus engine version 2.82.1 or above.

If you are unable to update, scanning CAB archives can be disabled to avoid the potential crash although Sophos does not recommend that given the current likelihood of exploitation. Should you decide to do so, please refer to product documentation for details on how to perform that action.

Sophos credits Oulu University Secure Programming Group with the discovery of this vulnerability.  http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html.

This vulnerability has also been reported by Jonathan Brossard of iViz Security.  Sophos does not acknowledge any other vulnerability announced by iViz Security but has offered to work with iViz Security to determine whether such vulnerabilities are present.

If you need more information or guidance, then please contact technical support.

• Article ID: 50611
• Created: 18 Dec 2008
• Last updated: 18 Dec 2008

Rate this article Choose a rating Very useful Quite useful Moderately useful Not very useful Not useful at all

•  Read our search tips
• Contact one of our experts
• Suggest an improvement