Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Critical vulnerability in Sophos Anti-Virus products - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Critical vulnerability in Sophos Anti-Virus products
A critical, remotely exploitable vulnerability, has been identified in various Sophos Anti-Virus products. The list of products affected is pretty big and covers everything from desktop Anti-Virus scanners over PureMessage to MailMonitor for SMTP and Exchange.

The vulnerability can be exploited by crafting a special CAB (Microsoft Cabinet) file with invalid folder count values in the header. This can result in corruption of heap memory which can further lead to execution of arbitrary code on the target machine.

This obviously requires that the inspection of CAB files is enabled, which will surely be the case at least on e-mail gateways (so a special warning for users of PureMessage and MailMonitor packages).

Sophos' advisory and details about updates are available at http://www.sophos.com/support/knowledgebase/article/4934.html. I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Riyadh April 2019

Bojan

376 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!