===================================================================== CERT-Renater Note d'Information No. 2008/VULN605 _____________________________________________________________________ DATE : 19/12/2008 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running Sophos Anti-Virus. ====================================================================== http://www.sophos.com/support/knowledgebase/article/50611.html ______________________________________________________________________ Advisory: Sophos Anti-Virus fuzzed CAB archive vulnerability reported This article describes a Malformed Archive File vulnerability within all Sophos Anti-virus products and products using the Sophos virus detection engine. There are no known exploits of these vulnerabilities at the time of publication. Malformed Archive File vulnerability When scanned, handcrafted “fuzzed” CAB archive files were not being processed appropriately by the virus engine, so that a segmentation fault could be caused. This fault is only caused when CAB archive scanning is turned on. Archive scanning is turned off with Sophos Anti-virus default settings. Should archive scanning be turned on, the most likely impact of this vulnerability is that Sophos Anti-Virus will either fail gracefully resulting in a scan failing prematurely with an error message, or it may crash depending upon the design of the product and the platform on which it is running. Within a gateway application, a crash could be used to generate a Denial of Service (DoS) attack. Whilst there is no evidence to demonstrate this, it is also theoretically possible that the vulnerability could allow arbitrary code to be executed remotely. What to do The vulnerability has been removed from all versions of Sophos Anti-Virus running the virus engine, version 2.82.1 and above. Versions of Sophos products incorporating the 2.82.1 virus engine include: * Sophos Anti-Virus for Windows 7.6.3 * Sophos Anti-Virus for Windows NT/9x 4.7.18. * Sophos Anti-Virus for OS X 4.9.18 * Sophos Anti-Virus for Linux 6.4.5 * Sophos Anti-Virus for UNIX 7.0.5 * Sophos Anti-Virus for Unix and Netware 4.37.0 Customers using EM Library and Sophos small business solutions will have received these updates automatically between 16th and 18th December 2008. 1. Check that you have the latest version of Sophos Anti-Virus on your computers. 2. If necessary update to ensure you have virus engine version 2.82.1 or above. If you are unable to update, scanning CAB archives can be disabled to avoid the potential crash although Sophos does not recommend that given the current likelihood of exploitation. Should you decide to do so, please refer to product documentation for details on how to perform that action. Sophos credits Oulu University Secure Programming Group with the discovery of this vulnerability. http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html. This vulnerability has also been reported by Jonathan Brossard of iViz Security. Sophos does not acknowledge any other vulnerability announced by iViz Security but has offered to work with iViz Security to determine whether such vulnerabilities are present. If you need more information or guidance, then please contact technical support. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================