Advisory: Malformed CAB archive vulnerability reported in Sophos products that use the Sophos detection engine

This article describes a malformed archive file bypass vulnerability within the Sophos security products that use the Sophos Anti-Virus detection engine. There are no known in-the-wild exploits of this vulnerability at the time of publication.

Affected Sophos products and version numbers
Sophos Anti-Virus for Windows 2000+ (version 7.6.7 and earlier)
Sophos Anti-Virus for Windows NT/95/98 (version 4.7.22 and earlier)
Sophos Anti-Virus for OS X (version 4.9.22/7.01 and earlier)
Sophos Anti-Virus for UNIX (versions 7.0.9 and earlier/4.41.9 and earlier)
Sophos Anti-Virus for Linux (version 6.6.2 and earlier)
Sophos Anti-Virus for Netware (version 4.41.9 and earlier)
Sophos Email Appliance (version 3.1.3.1 and earlier)
Sophos Web Appliance (version 2.1.18 and earlier)
PureMessage for UNIX (version 5.5.4 and earlier)

Malformed Archive File Bypass Vulnerability

When "read" by the Sophos product, handcrafted CAB archive files were not being processed appropriately by the virus engine, so that the archive file is not fully scanned by the virus engine.

Depending on whether the virus scan is taking place at the gateway or at the endpoint, the likely impact of the vulnerability differs:

• Using Sophos Anti-Virus at the endpoint, the malware would be caught as the relevant file was being extracted/opened. It is worth noting that Sophos would also be able to write detection for the specific archive file itself should we become aware of an exploit in-the-wild.
  
• Using Sophos products at the gateway, the malware would pass through, but it is likely to be caught by the anti-virus solution used at the endpoint.

What to do

This vulnerability has been fixed in the latest versions of the affected products. Therefore, customers using the latest versions of Sophos Anti-Virus and PureMessage for Microsoft Exchange will have received these updates automatically between 20th and 28th May 2009. Customers using the Sophos Web and Email Appliances and PureMessage for UNIX were automatically updated between 20th May and 9th June 2009.

If you are not sure whether you are using the latest version of your software:

1. Check which version of your Sophos product you are using.

2. If you are not using one of the versions listed below, update your software to ensure that you have virus engine version 2.87.1 or later:

   • Sophos Anti-Virus for Windows 2000+ 7.6.8
   • Sophos Anti-Virus for Windows NT/95/98 4.7.23
   • Sophos Anti-Virus for OS X 4.9.23/7.02
   • Sophos Anti-Virus for Linux 6.6.3
   • Sophos Anti-Virus for UNIX 7.0.10
   • Sophos Anti-Virus for Unix and Netware 4.42.0
   • Sophos Email Appliance 3.1.4.1
   • Sophos Web Appliance 3.0.0
   • Pure Message for Unix 5.5.5

Sophos thanks Thierry Zoller (G-SEC) for the discovery and responsible disclosure of this vulnerability.