The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Sophos AV

vulnerability alert CVE-2015-0138 CVE-2015-0204

OpenSSL, LibReSSL, Mono, JSSE: weakening TLS encryption via FREAK

Synthesis of the vulnerability

An attacker, located as a Man-in-the-Middle, can force the Chrome, JSSE, LibReSSL, Mono or OpenSSL client to accept a weak export algorithm, in order to more easily capture or alter exchanged data.
Impacted products: Arkoon FAST360, ArubaOS, Avaya Ethernet Routing Switch, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, FabricOS, Brocade Network Advisor, Cisco ATA, AnyConnect VPN Client, Cisco ACE, ASA, AsyncOS, Cisco ESA, IOS by Cisco, IronPort Email, IronPort Web, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Cisco Prime DCNM, Prime Infrastructure, Cisco Prime LMS, Prime Network Control Systems, Cisco PRSM, Cisco Router, Cisco IP Phone, Cisco MeetingPlace, Cisco WSA, Clearswift Email Gateway, Debian, Black Diamond, ExtremeXOS, Summit, BIG-IP Hardware, TMOS, Fedora, FortiClient, FortiGate, FortiGate Virtual Appliance, FortiOS, FreeBSD, Chrome, HPE NNMi, HP-UX, AIX, DB2 UDB, IRAD, Security Directory Server, Tivoli Directory Server, Tivoli Storage Manager, Tivoli Workload Scheduler, WebSphere AS Traditional, WebSphere MQ, Juniper J-Series, JUNOS, Junos Space, Junos Space Network Management Platform, NSM Central Manager, NSMXpress, Juniper SBR, Domino, Notes, MBS, McAfee Email Gateway, ePO, McAfee NTBA, McAfee NGFW, VirusScan, McAfee Web Gateway, Windows (platform) ~ not comprehensive, Data ONTAP, NetBSD, NetScreen Firewall, ScreenOS, OpenBSD, Java OpenJDK, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Java Oracle, Solaris, pfSense, Puppet, RHEL, Base SAS Software, SAS SAS/CONNECT, Slackware, Sophos AV, Splunk Enterprise, Stonesoft NGFW/VPN, stunnel, SUSE Linux Enterprise Desktop, SLES, Ubuntu, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Creation date: 04/03/2015.
Revision date: 09/03/2015.
Identifiers: 122007, 1450666, 1610582, 1647054, 1698613, 1699051, 1699810, 1700225, 1700997, 1701485, 1902260, 1903541, 1963275, 1968485, 1973383, 55767, 7014463, 7022958, 9010028, ARUBA-PSA-2015-003, bulletinjan2015, c04556853, c04679334, c04773241, CERTFR-2015-AVI-108, CERTFR-2015-AVI-117, CERTFR-2015-AVI-146, CERTFR-2016-AVI-303, cisco-sa-20150310-ssl, cpuapr2017, cpuoct2017, CTX216642, CVE-2015-0138, CVE-2015-0204, DSA-3125-1, FEDORA-2015-0512, FEDORA-2015-0601, FG-IR-15-007, FREAK, FreeBSD-SA-15:01.openssl, HPSBMU03345, HPSBUX03244, HPSBUX03334, JSA10679, MDVSA-2015:019, MDVSA-2015:062, MDVSA-2015:063, NetBSD-SA2015-006, NetBSD-SA2015-007, NTAP-20150205-0001, openSUSE-SU-2015:0130-1, openSUSE-SU-2016:0640-1, RHSA-2015:0066-01, RHSA-2015:0800-01, RHSA-2015:1020-01, RHSA-2015:1021-01, RHSA-2015:1091-01, SA40015, SA88, SA91, SB10108, SB10110, SOL16120, SOL16123, SOL16124, SOL16126, SOL16135, SOL16136, SOL16139, SP-CAAANXD, SPL-95203, SPL-95206, SSA:2015-009-01, SSRT101885, SSRT102000, SUSE-SU-2015:1073-1, SUSE-SU-2015:1085-1, SUSE-SU-2015:1086-1, SUSE-SU-2015:1086-2, SUSE-SU-2015:1086-3, SUSE-SU-2015:1086-4, SUSE-SU-2015:1138-1, SUSE-SU-2015:1161-1, T1022075, USN-2459-1, VIGILANCE-VUL-16301, VN-2015-003_FREAK, VU#243585.

Description of the vulnerability

The TLS protocol uses a series of messages which have to be exchanged between the client and the server, before establishing a secured session.

Several cryptographic algorithms can be negotiated, such as algorithms allowed for USA export (less than 512 bits).

An attacker, located as a Man-in-the-Middle, can inject during the session initialization a message choosing an export algorithm. This message should generate an error, however some TLS clients accept it.

Note: the variant related to Windows is described in VIGILANCE-VUL-16332.

An attacker, located as a Man-in-the-Middle, can therefore force the Chrome, JSSE, LibReSSL, Mono or OpenSSL client to accept a weak export algorithm, in order to more easily capture or alter exchanged data.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2014-2385

Sophos Antivirus Configuration Console: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Sophos Antivirus Configuration Console, in order to execute JavaScript code in the context of the web site.
Impacted products: Sophos AV.
Severity: 2/4.
Creation date: 25/06/2014.
Identifiers: CVE-2014-2385, VIGILANCE-VUL-14937.

Description of the vulnerability

The Sophos Antivirus Configuration Console product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Sophos Antivirus Configuration Console, in order to execute JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2014-0160

OpenSSL: information disclosure via Heartbeat

Synthesis of the vulnerability

An attacker can use the Heartbeat protocol on an application compiled with OpenSSL, in order to obtain sensitive information, such as keys stored in memory.
Impacted products: Tomcat, ArubaOS, i-Suite, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, ARCserve Backup, ASA, Cisco Catalyst, IOS XE Cisco, Prime Infrastructure, Cisco PRSM, Cisco Router, Cisco CUCM, Cisco IP Phone, Cisco Unity ~ precise, XenDesktop, MIMEsweeper, Clearswift Email Gateway, Clearswift Web Gateway, Debian, ECC, PowerPath, ArcGIS ArcView, ArcGIS for Desktop, ArcGIS for Server, Black Diamond, ExtremeXOS, Summit, BIG-IP Hardware, TMOS, Fedora, FortiClient, FortiGate, FortiGate Virtual Appliance, FortiOS, FreeBSD, HP Diagnostics, LoadRunner, Performance Center, AIX, WebSphere MQ, WS_FTP Server, IVE OS, Juniper J-Series, JUNOS, Junos Pulse, Juniper Network Connect, Juniper SA, Juniper UAC, LibreOffice, MBS, McAfee Email Gateway, ePO, GroupShield, McAfee NGFW, VirusScan, McAfee Web Gateway, Windows 8, Windows RT, MySQL Enterprise, NetBSD, OpenBSD, OpenSSL, openSUSE, Opera, Solaris, pfSense, HDX, RealPresence Collaboration Server, Polycom VBP, Puppet, RHEL, RSA Authentication Manager, SIMATIC, Slackware, Sophos AV, Splunk Enterprise, Stonesoft NGFW/VPN, stunnel, ASE, OfficeScan, Ubuntu, Unix (platform) ~ not comprehensive, ESXi, VMware Player, vCenter Server, VMware vSphere, VMware vSphere Hypervisor, VMware Workstation, Websense Email Security, Websense Web Filter, Websense Web Security.
Severity: 3/4.
Creation date: 08/04/2014.
Identifiers: 1669839, 190438, 2076225, 2962393, c04236102, c04267775, c04286049, CA20140413-01, CERTFR-2014-ALE-003, CERTFR-2014-AVI-156, CERTFR-2014-AVI-161, CERTFR-2014-AVI-162, CERTFR-2014-AVI-167, CERTFR-2014-AVI-169, CERTFR-2014-AVI-177, CERTFR-2014-AVI-178, CERTFR-2014-AVI-179, CERTFR-2014-AVI-180, CERTFR-2014-AVI-181, CERTFR-2014-AVI-198, CERTFR-2014-AVI-199, CERTFR-2014-AVI-213, cisco-sa-20140409-heartbleed, CTX140605, CVE-2014-0160, CVE-2014-0346-REJECT, DSA-2896-1, DSA-2896-2, emr_na-c04236102-7, ESA-2014-034, ESA-2014-036, ESA-2014-075, FEDORA-2014-4879, FEDORA-2014-4910, FEDORA-2014-4982, FEDORA-2014-4999, FG-IR-14-011, FreeBSD-SA-14:06.openssl, Heartbleed, HPSBMU02995, HPSBMU03025, HPSBMU03040, ICSA-14-105-03, JSA10623, MDVSA-2014:123, MDVSA-2015:062, NetBSD-SA2014-004, openSUSE-SU-2014:0492-1, openSUSE-SU-2014:0560-1, openSUSE-SU-2014:0719-1, pfSense-SA-14_04.openssl, RHSA-2014:0376-01, RHSA-2014:0377-01, RHSA-2014:0378-01, RHSA-2014:0396-01, RHSA-2014:0416-01, SA40005, SA79, SB10071, SOL15159, SPL-82696, SSA:2014-098-01, SSA-635659, SSRT101565, USN-2165-1, VIGILANCE-VUL-14534, VMSA-2014-0004, VMSA-2014-0004.1, VMSA-2014-0004.2, VMSA-2014-0004.3, VMSA-2014-0004.6, VMSA-2014-0004.7, VU#720951.

Description of the vulnerability

The Heartbeat extension of TLS (RFC 6520) provides a keep-alive feature, without performing a renegotiation. It exchanges random data in a payload.

Version 1.0.1 of OpenSSL implements Heartbeat, which is enabled by default. The [d]tls1_process_heartbeat() function manages Heartbeat messages. However, it does not check the size of random data, and continues to read after the end of the payload, and then sends the full memory area (up to 64kb) to the peer (client or server).

An attacker can therefore use the Heartbeat protocol on an application compiled with OpenSSL, in order to obtain sensitive information, such as keys stored in memory.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2014-1213

Sophos Anti-Virus: denial of service via Object

Synthesis of the vulnerability

A local attacker can interact with objects of Sophos Anti-Virus, in order to trigger a denial of service.
Impacted products: Sophos AV.
Severity: 1/4.
Creation date: 03/02/2014.
Identifiers: BID-65286, CVE-2014-1213, VIGILANCE-VUL-14166.

Description of the vulnerability

The Windows Object Manager is used to access to all system objects:
  \BaseNamedObjects (mutex, timer, etc.)
  \Drivers
  \FileSystem
  etc.

The Sophos antivirus uses several objects:
  $$!_EVENT_$!__...
  SAV-****
  SAV-Info
  SophosALMonSessionInstance

However, ACLs are not set for these objects.

A local attacker can therefore interact with objects of Sophos Anti-Virus, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert CVE-2012-6706

Sophos Antivirus: several vulnerabilities

Synthesis of the vulnerability

An attacker can create a malicious VB6/CAB/RAR/PDF file which corrupts the Sophos Antivirus memory, in order to execute code on victim's computer.
Impacted products: AsyncOS, Cisco ESA, IronPort Email, IronPort Web, Solaris, Sophos AV.
Severity: 3/4.
Creation date: 05/11/2012.
Identifiers: BID-56401, bulletinjul2017, CERTA-2012-AVI-627, CERTA-2012-AVI-637, cisco-sa-20121108-sophos, CSCud10556, CVE-2012-6706, VIGILANCE-VUL-12111, VU#662243.

Description of the vulnerability

The Sophos Antivirus product analyzes viruses contained in documents handled by users. However, malformed documents are not correctly decoded.

An ActiveX created with Visual Basic 6 generates an integer overflow. [severity:3/4]

A malicious CAB archive creates a buffer overflow. [severity:3/4]

A malicious RAR archive corrupts the memory (VIGILANCE-VUL-23073). [severity:3/4; CVE-2012-6706]

A malicious PDF document generates a buffer overflow. [severity:3/4]

An attacker can therefore create a malicious VB6/CAB/RAR/PDF file which corrupts the Sophos Antivirus memory, in order to execute code on victim's computer.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2012-1424 CVE-2012-1427 CVE-2012-1428

Sophos Anti-Virus: bypassing via CAB, CHM, ELF, EXE, Office, RAR, TAR, ZIP

Synthesis of the vulnerability

An attacker can create an archive or a program containing a virus, which is not detected by Sophos Anti-Virus.
Impacted products: Sophos AV.
Severity: 2/4.
Creation date: 21/03/2012.
Identifiers: BID-52579, BID-52587, BID-52589, BID-52590, BID-52591, BID-52598, BID-52599, BID-52600, BID-52608, BID-52611, BID-52612, BID-52613, BID-52617, BID-52621, BID-52623, BID-52626, CVE-2012-1424, CVE-2012-1427, CVE-2012-1428, CVE-2012-1430, CVE-2012-1431, CVE-2012-1438, CVE-2012-1442, CVE-2012-1443, CVE-2012-1446, CVE-2012-1450, CVE-2012-1453, CVE-2012-1456, CVE-2012-1458, CVE-2012-1459, CVE-2012-1461, CVE-2012-1462, VIGILANCE-VUL-11473.

Description of the vulnerability

Tools extracting archives (CAB, TAR, ZIP, etc.) accept to extract archives which are slightly malformed. Systems also accept to execute programs (ELF, EXE) which are slightly malformed. However, Sophos Anti-Virus does not detect viruses contained in these archives/programs.

A TAR archive containing "\19\04\00\10" at offset 8 bypasses the detection. [severity:1/4; BID-52590, CVE-2012-1424]

A TAR archive containing "\57\69\6E\5A\69\70" at offset 29 bypasses the detection. [severity:1/4; BID-52587, CVE-2012-1427]

A TAR archive containing "\4a\46\49\46" at offset 6 bypasses the detection. [severity:1/4; BID-52579, CVE-2012-1428]

An ELF program containing "\19\04\00\10" at offset 8 bypasses the detection. [severity:2/4; BID-52589, CVE-2012-1430]

An ELF program containing "\4a\46\49\46" at offset 6 bypasses the detection. [severity:2/4; BID-52591, CVE-2012-1431]

A MS Office document containing "ustar" at offset 257 bypasses the detection. [severity:1/4; BID-52599, CVE-2012-1438]

An EXE program containing a large "class" field bypasses the detection. [severity:2/4; BID-52598, CVE-2012-1442]

A RAR archive containing "MZ" as its first 2 bytes bypasses the detection. [severity:1/4; BID-52612, CVE-2012-1443]

An ELF program containing a large "encoding" field bypasses the detection. [severity:2/4; BID-52600, CVE-2012-1446]

A CAB archive containing a large "reserved3" field bypasses the detection. [severity:1/4; BID-52617, CVE-2012-1450]

A CAB archive containing a large "coffFiles" field bypasses the detection. [severity:1/4; BID-52621, CVE-2012-1453]

A ZIP archive starting by TAR data bypasses the detection. [severity:1/4; BID-52608, CVE-2012-1456]

A CHM help file with a header containing a low "interval" value bypasses the detection. [severity:1/4; BID-52611, CVE-2012-1458]

A TAR archive with a header containing a large value bypasses the detection. [severity:1/4; BID-52623, CVE-2012-1459]

A TAR+GZ archive containing two streams bypasses the detection. [severity:1/4; BID-52626, CVE-2012-1461]

A ZIP archive starting by 1024 random bytes bypasses the detection. [severity:1/4; BID-52613, CVE-2012-1462]

An attacker can therefore create an archive containing a virus which is not detected by the antivirus, but which is extracted by extraction tools. The virus is then detected once it has been extracted on victim's computer. An attacker can also create a program, containing a virus which is not detected by the antivirus, but which can be run by the system.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note 9699

Sophos AV: privilege elevation via SAVOnAccessFilter

Synthesis of the vulnerability

A local attacker can use a vulnerability of the SAVOnAccessFilter driver, in order to obtain system privileges.
Impacted products: Sophos AV.
Severity: 2/4.
Creation date: 10/06/2010.
Identifiers: BID-40715, TPTI-10-03, VIGILANCE-VUL-9699.

Description of the vulnerability

The Sophos antivirus installs the SAVOnAccessFilter.sys driver, which checks system calls when they are used.

The NtQueryAttributesFile() system call retrieves information on a file. The SAVOnAccessFilter.sys driver checks this system call.

However, parameters of NtQueryAttributesFile() are not correctly filtered by the driver, which corrupts its memory.

A local attacker can therefore use a vulnerability of the SAVOnAccessFilter driver, in order to obtain system privileges.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce 8802

Sophos Anti-Virus: bypassing via CAB

Synthesis of the vulnerability

An attacker can create a CAB archive containing a virus which is not detected by Sophos products.
Impacted products: Sophos AV.
Severity: 2/4.
Creation date: 16/06/2009.
Identifiers: 59992, BID-35402, VIGILANCE-VUL-8802.

Description of the vulnerability

Sophos products detect viruses contained in CAB archives.

However, an attacker can create a slightly malformed archive, which can still be opened by extraction tools, but which cannot be opened by the antivirus.

An attacker can therefore create a CAB archive containing a virus which is not detected by Sophos products.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce 8402

Sophos AV: denial of service via RMS

Synthesis of the vulnerability

An attacker can send a malicious GIOP message in order to force a restart of Remote Management System.
Impacted products: Sophos AV.
Severity: 2/4.
Creation date: 16/01/2009.
Identifiers: 51420, BID-33313, VIGILANCE-VUL-8402.

Description of the vulnerability

The RMS (Remote Management System) service listens on the IIOP (Internet Inter-Orb Protocol) port 8193. TAO is an ORB (Object Request Broker) for the C++ language, used by RMS. It can be noted that the signature update system does not use RMS.

When an attacker sends a large GIOP message to the IIOP port, an error occurs in TAO and restarts RMS. Technical details are unknown.

An attacker can therefore send a malicious GIOP message in order to force a restart of Remote Management System.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2008-6904

Sophos AV: denial of service via Packer

Synthesis of the vulnerability

An attacker can create a malicious Packed binary in order to create a denial of service and possibly to execute code in Sophos AV.
Impacted products: Sophos AV.
Severity: 2/4.
Creation date: 10/12/2008.
Revision date: 19/12/2008.
Identifiers: BID-32748, CVE-2008-6904, IVIZ-08-015, VIGILANCE-VUL-8319.

Description of the vulnerability

An attacker can create a malicious Packed binary in order to create a denial of service and possibly to execute code in Sophos AV.

Technical details are unknown.

This vulnerability may only impact Linux versions of the antivirus.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Sophos AV: