Cisco Security Advisory

Cisco IronPort Appliances Sophos Anti-Virus Vulnerabilities

Advisory ID: cisco-sa-20121108-sophos

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121108-sophos

Revision 1.3

Last Updated  2012 November 13 23:16  UTC (GMT)

For Public Release 2012 November 9 03:00  UTC (GMT)


Summary

Cisco IronPort Email Security Appliances (ESA) and Cisco IronPort Web Security Appliances (WSA) include versions of Sophos Anti-Virus that contain multiple vulnerabilities that could allow an unauthenticated, remote attacker to gain control of the system, escalate privileges, or cause a denial-of-service (DoS) condition. An attacker could exploit these vulnerabilities by sending malformed files to an appliance that is running Sophos Anti-Virus. The malformed files could cause the Sophos antivirus engine to behave unexpectedly.

On November 13, 2012, Cisco qualified and provisioned a Sophos engine to the Cisco IronPort ESA and WSA update servers that fixes the vulnerabilities described in this document.

Future updates to the Sophos engine will be qualified and provisioned to the Cisco IronPort ESA and WSA update servers as they become available.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121108-sophos

Cisco is not aware of any active exploitation affecting Cisco customers.

Affected Products

Vulnerable Products

The following Cisco IronPort appliances, when configured to use Sophos software, are affected by this vulnerability:
  • Cisco IronPort Email Security Appliances (C-Series and X-Series) running Sophos Engine: 3.2.07.352_4.80 and earlier.
  • Cisco IronPort Web Security Appliances (S-Series) running Sophos Engine: 3.2.07.352_4.80 and earlier.

Customers can use either the command-line interface (CLI) or the Web Graphical User Interface (GUI) to verify the Sophos software and version.

In the Cisco IronPort WSA CLI, use the version command. In the GUI, select Security Services > Web Reputation and Anti-Malware.

In the Cisco IronPort ESA CLI, use the antivirusstatus sophos command. In the GUI, select Security Services > Anti-Virus > Sophos.

Products Confirmed Not Vulnerable

Cisco IronPort Security Management Appliances (M-Series) are not affected by these vulnerabilities.

No other Cisco products are currently known to be affected by these vulnerabilities.

Details

The Cisco IronPort ESA provides email management and protection combining antispam, antivirus, and encryption  technologies. The Cisco IronPort WSA is a secure web gateway that provides advanced malware protection, application visibility and control, acceptable use policy controls, reporting, and secure mobility on a single platform.

Cisco IronPort ESA and WSA can be configured to use one of several popular antivirus programs. Only Cisco IronPort appliances running Sophos Engine: 3.2.07.352_4.80 and earlier are affected by the following vulnerabilities published in the Sophos knowledge base article at: http://www.sophos.com/en-us/support/knowledgebase/118424.aspx

The following vulnerabilities affect the Sophos engine that is currently installed on Cisco IronPort ESA and WSA products:
  • Integer overflow parsing Visual Basic 6 controls
  • Internet Explorer protected mode is effectively disabled by Sophos
  • Memory corruption vulnerability in Microsoft CAB parsers
  • RAR virtual machine standard filters memory corruption
  • Stack buffer overflow decrypting PDF files
The following vulnerabilities do not affect the Sophos engine that is currently installed on Cisco IronPort ESA and WSA products:
  • sophos_detoured_x64.dll ASLR bypass
  • Universal XSS
  • Privilege escalation through network update service
Sophos engine version 3.2.07.363_4.83 was qualified and provisioned to the Cisco IronPort ESA and WSA update servers on Tuesday, November 13th, 2012 and fixes the vulnerabilities described in this document.

These vulnerabilities are documented in CSCud10556 (registered customers only) for the Cisco IronPort Email Security Appliance and in CSCud10546 (registered customers only) for the Cisco IronPort Web Security Appliance.

Vulnerability Scoring Details

Cisco has scored the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response.

Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks.

Cisco has provided additional information regarding CVSS at the following link:

http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html

Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link:

http://intellishield.cisco.com/security/alertmanager/cvss



Cisco Ironport Email Security Appliances (ESA) - CSCud10556

Calculate the environmental score of CSCud10556

CVSS Base Score - 9.7

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Network

Low

None

Complete

Complete

Partial

CVSS Temporal Score - 8.7

Exploitability

Remediation Level

Report Confidence

Proof-of-Concept

Unavailable

Confirmed




Cisco Ironport Web Security Appliance - CSCud10546

Calculate the environmental score of CSCud10546

CVSS Base Score - 9.7

Access Vector

Access Complexity

Authentication

Confidentiality Impact

Integrity Impact

Availability Impact

Network

Low

None

Complete

Complete

Partial

CVSS Temporal Score - 8.7

Exploitability

Remediation Level

Report Confidence

Proof-of-Concept

Unavailable

Confirmed


Impact

Successful exploitation of these vulnerabilities may cause the Sophos Anti-Virus engine to crash. A remote, unauthenticated attacker may be able to gain control of the system, escalate privileges, or cause a denial-of-service condition.

Software Versions and Fixes

Sophos engine version 3.2.07.363_4.83 was qualified and provisioned to the Cisco IronPort ESA and WSA update servers on November 13, 2012 and fixes the vulnerabilities described in this advisory.

Workarounds

There are no workarounds for this vulnerability.  Cisco recommends updating to Sophos engine version 3.207.363_4.83.

Obtaining Fixed Software

The affected products in this advisory are directly supported by Cisco IronPort. Customers should contact Cisco IronPort Technical Support at the link below for any questions concerning the automatic software updates. Customers should direct all warranty questions to Cisco IronPort Technical Support.

Note: Do not contact psirt@cisco.com or security-alert@cisco.com for software updates.

http://www.ironport.com/support/contact_support.html

Customers with Service Contracts

Customers with contracts should obtain upgraded software through their regular update channels. For most customers, upgrades should be obtained through the Software Navigator on Cisco.com at http://www.cisco.com/cisco/software/navigator.html.

Customers Using Third-Party Support Organizations

Customers with Cisco products that are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers, should contact that organization for assistance with the appropriate course of action.

The effectiveness of any workaround or fix depends on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Because of the variety of affected products and releases, customers should consult their service providers or support organizations to ensure that any applied workaround or fix is the most appropriate in the intended network before it is deployed.

Customers Without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain updates by contacting Cisco IronPort Technical Support.

Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free update. Customers without service contracts should request free updates through IronPort Technical Support.

Refer to Cisco IronPort Customer Support Contacts at http://www.ironport.com/support/contact_support.html for additional technical support contact information.

Exploitation and Public Announcements

The vulnerabilities in Sophos Anti-Virus that affect these Cisco IronPort appliances were publicly disclosed by Tavis Ormandy on November 5th, 2012. The Sophos advisory is available at:

http://www.sophos.com/en-us/support/knowledgebase/118424.aspx

Cisco is not aware of any active exploitation affecting Cisco customers.

Status of This Notice: Final

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.


Distribution

This advisory is posted on Cisco Security Intelligence Operations at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121108-sophos

Additionally, a text version of this advisory is clear signed with the Cisco PSIRT PGP key and circulated among the following e-mail addresses:

  • cust-security-announce@cisco.com
  • first-bulletins@lists.first.org
  • bugtraq@securityfocus.com
  • vulnwatch@vulnwatch.org
  • cisco@spot.colorado.edu
  • cisco-nsp@puck.nether.net
  • full-disclosure@lists.grok.org.uk

Future updates of this advisory, if any, will reside on Cisco.com but may not be announced on mailing lists. Users can monitor this advisory's URL for any updates.


Revision History

Revision 1.3 2012-November-13 Updated to announce fixed software.
Revision 1.2 2012-November-12 Added expected fix availability.
Revision 1.1 2012-November-09 Added additional CLI/GUI commands.
Revision 1.0 2012-November-09 Initial public release.

Cisco Security Procedures

Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco is available on Cisco.com at http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html. This web page includes instructions for press inquiries regarding Cisco Security Advisories. All Cisco Security Advisories are available at http://www.cisco.com/go/psirt.
Download this document (PDF)
View Printable Version