Advisory: Minor TAO/Remote Management System (RMS) vulnerability fixed in Sophos Anti-Virus

This article describes a minor TAO-related vulnerability within the RMS component of Sophos Anti-Virus which has been fixed in recent versions of the product.

Affected systems would not experience any drop in protection levels.

There are no known exploits of this vulnerability at the time of publication.

TAO/RMS Denial of Service vulnerability

A corrupt, large GIOP message causes a memory allocation failure in TAO, a third party Object Request Broker used within RMS. TAO doesn't handle this case and the exception causes the RMS router to exit, relying on the Windows Service Manager to restart the service.

The likely consequence of this vulnerability is that the RMS router will simply restart without any impact.

If the message is sent repeatedly, the SEC server’s RMS Router could be stopped repeatedly, degrading or preventing the management of endpoint computers (e.g. identifying new endpoints, changing policy configuration).

If such a DoS attack was directed at endpoints without suitable service management (such as on Windows 9x and some non-Windows platforms), the computers or the Router would need to be manually restarted.

N.B. Sophos Anti-virus would continue to work and receive updates throughout any denial of service attack that exploits this vulnerability as these updates use an alternative mechanism.  Affected systems would not experience any drop in protection levels.

What to do

The vulnerability has been removed from RMS 3.0.9 and above.  Customers using EM Library will have received this update automatically on, or soon after, the 22nd October 2008 as part of the following releases:

• Sophos Anti-Virus for Windows 2000/XP/2003/Vista 7.6.0
• Sophos Anti-Virus for Windows 95/98/NT 4.7.16
• Sophos Anti-Virus for Mac OSX 4.9.15
• Sophos Anti-Virus for Linux 6.4.4

1. Check that you have the latest version of Sophos Anti-Virus.
2. If necessary update to ensure you have an updated version.

If you are unable to update your endpoint, then a workaround would be to block external access to the RMS IIOP port (8193 by default) using a firewall. IIOP is not needed for SEC/endpoint communications.

Sophos thanks MWR InfoSecurity for bringing this defect to our attention.

If you need more information or guidance, please contact technical support.