Resolved HMPA Service Local DoS (CVE-2021-25269)

Zurück zur Übersicht der Sicherheitshinweise
Medium
CVE(s)
CVE-2021-25269
Updated:
Produkt(e)
Sophos Exploit Prevention
Intercept X for Server
Intercept X Endpoint
Veröffentlichungs-ID sophos-sa-20211126-ixa-hmpa-local-dos
Artikelversion 1
Erstveröffentlichung
Provisorische Lösung No

Overview

An unquoted service path vulnerability in the HitmanPro.Alert component was discovered and responsibly disclosed to Sophos. This component is included in the Windows builds of Sophos Intercept X Advanced, Sophos Intercept X Advanced for Server, and the Sophos Exploit Prevention tool. The vulnerability was reported via the Sophos bug bounty program by external security researchers. A fix has been deployed for Sophos Intercept X Advanced. There is no action required for customers, as updates are installed automatically by default.

Sophos would like to thank Andrea Intilangelo and Florian Hansemann for responsibly disclosing the issue to Sophos.

The remediation prevented a local attacker with administrator privileges to preclude the HMPA service from starting despite tamper protection. There was no evidence that the vulnerability was exploited and to our knowledge no customers are impacted.

Applies to the following Sophos product(s) and version(s)

  • Sophos Intercept X Advanced versions prior to version 2.0.23

  • Sophos Intercept X Advanced for Server versions prior to version 2.0.23

  • Sophos Exploit Prevention versions prior to version 3.8.3

Remediation

  • Sophos Intercept X Advanced

    • Fix included in Sophos Intercept X Advanced 2.0.23 on November 18, 2021

  • Sophos Intercept X Advanced for Server

    • Fix included in Sophos Intercept X Advanced for Server 2.0.23, available at the end of January 2022

    • A hotfix is available (cumulative hotfix 3.9.0.6 dated October 22, 2021) for customers who want to address this vulnerability before the January 2022 release. Please refer to KBA KB-000038477 for details.

  • Sophos Exploit Prevention

    • Fix included in Sophos Exploit Prevention 3.8.3, available at the end of January 2022

    • A hotfix is available (cumulative hotfix 3.9.0.6 dated October 22, 2021) for customers who want to address this vulnerability before the January 2022 release. Please refer to KBA KB-000038477 for details.