A privilege escalation vulnerability was discovered and responsibly disclosed on 17 August, 2019 by Lasse Trolle Borup of Danish Cyber Defence that impacted specific versions of Sophos Anti-Virus for macOS. All supported versions were fixed by 5 December 2019. The only action required for customers is to verify they are running the fixed version.
Description of Vulnerability
An unprivileged, authenticated attacker with the necessary privileges to create hardlinks on a filesystem can trick a privileged service into writing log entries into an arbitrary attacker-controlled file location. By carefully constructing filesystem entries the attacker can embed malicious data into those log files, which can potentially be interpreted as commands by other software, such as the macOS launchd periodic service. This can lead to escalation of privilege.
How to verify the version number
The following versions include the appropriate fix to address this vulnerability
- Mac Endpoint for Sophos Central: version 9.9.6 (released 5 December 2019) or newer
To see the version, click on the Sophos shield on the right half of the menu bar, click on the "Open Sophos Endpoint..." button, and click on the blue "About" text in the bottom right corner of the "Sophos Endpoint" window. The version will be displayed in the upper left of the "Sophos Endpoint" window.
- Mac Endpoint for Sophos Home: version 2.2.6 (9.9.6 component versions) or newer
To see the version, click on the Sophos shield on the right half of the menu bar, click on the ellipsis (...) menu in the upper right corner of the drop down window, and click on the "About" menu item.
- Mac Endpoint for Sophos Home: version 2.1.4 (9.7.16 component versions) for support of older macOS versions (OSX 10.10 and OSX 10.11) or newer
- Mac Endpoint for On Premise Management: version 9.9.5 (released 26 November 2019) or newer (for preview, recommended, previous and Fixed Package 9.9.5)
To see the version, click on the Sophos shield on the right half of the menu bar, click on the "About Sophos Anti-Virus" menu item.