Cisco Security Advisory
Cisco IronPort Appliances Sophos Anti-Virus Vulnerabilities
AV:N/AC:L/Au:N/C:C/I:C/A:P/E:POC/RL:U/RC:C
-
Cisco IronPort Email Security Appliances (ESA) and Cisco IronPort Web Security Appliances (WSA) include versions of Sophos Anti-Virus that contain multiple vulnerabilities that could allow an unauthenticated, remote attacker to gain control of the system, escalate privileges, or cause a denial-of-service (DoS) condition. An attacker could exploit these vulnerabilities by sending malformed files to an appliance that is running Sophos Anti-Virus. The malformed files could cause the Sophos antivirus engine to behave unexpectedly.
On November 13, 2012, Cisco qualified and provisioned a Sophos engine to the Cisco IronPort ESA and WSA update servers that fixes the vulnerabilities described in this document.
Future updates to the Sophos engine will be qualified and provisioned to the Cisco IronPort ESA and WSA update servers as they become available.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121108-sophos
Cisco is not aware of any active exploitation affecting Cisco customers.
-
Vulnerable Products
The following Cisco IronPort appliances, when configured to use Sophos software, are affected by this vulnerability:
- Cisco IronPort Email Security Appliances (C-Series and X-Series) running Sophos Engine: 3.2.07.352_4.80 and earlier.
- Cisco IronPort Web Security Appliances (S-Series) running Sophos Engine: 3.2.07.352_4.80 and earlier.
Customers can use either the command-line interface (CLI) or the Web Graphical User Interface (GUI) to verify the Sophos software and version.
In the Cisco IronPort WSA CLI, use the version command. In the GUI, select Security Services > Web Reputation and Anti-Malware.
In the Cisco IronPort ESA CLI, use the antivirusstatus sophos command. In the GUI, select Security Services > Anti-Virus > Sophos.Products Confirmed Not Vulnerable
Cisco IronPort Security Management Appliances (M-Series) are not affected by these vulnerabilities.
No other Cisco products are currently known to be affected by these vulnerabilities.
-
The Cisco IronPort ESA provides email management and protection combining antispam, antivirus, and encryption technologies. The Cisco IronPort WSA is a secure web gateway that provides advanced malware protection, application visibility and control, acceptable use policy controls, reporting, and secure mobility on a single platform.
Cisco IronPort ESA and WSA can be configured to use one of several popular antivirus programs. Only Cisco IronPort appliances running Sophos Engine: 3.2.07.352_4.80 and earlier are affected by the following vulnerabilities published in the Sophos knowledge base article at: http://www.sophos.com/en-us/support/knowledgebase/118424.aspx
The following vulnerabilities affect the Sophos engine that is currently installed on Cisco IronPort ESA and WSA products:
- Integer overflow parsing Visual Basic 6 controls
- Internet Explorer protected mode is effectively disabled by Sophos
- Memory corruption vulnerability in Microsoft CAB parsers
- RAR virtual machine standard filters memory corruption
- Stack buffer overflow decrypting PDF files
- sophos_detoured_x64.dll ASLR bypass
- Universal XSS
- Privilege escalation through network update service
These vulnerabilities are documented in CSCud10556 (registered customers only) for the Cisco IronPort Email Security Appliance and in CSCud10546 (registered customers only) for the Cisco IronPort Web Security Appliance.
-
There are no workarounds for this vulnerability. Cisco recommends updating to Sophos engine version 3.207.363_4.83.
-
Sophos engine version 3.2.07.363_4.83 was qualified and provisioned to the Cisco IronPort ESA and WSA update servers on November 13, 2012 and fixes the vulnerabilities described in this advisory.
-
The vulnerabilities in Sophos Anti-Virus that affect these Cisco IronPort appliances were publicly disclosed by Tavis Ormandy on November 5th, 2012. The Sophos advisory is available at:
http://www.sophos.com/en-us/support/knowledgebase/118424.aspx
Cisco is not aware of any active exploitation affecting Cisco customers.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.3 2012-November-13 Updated to announce fixed software. Revision 1.2 2012-November-12 Added expected fix availability. Revision 1.1 2012-November-09 Added additional CLI/GUI commands. Revision 1.0 2012-November-09 Initial public release.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.