Cisco Ironport Email Security Appliances and Web Security Appliances include versions of Sophos Anti-Virus that contain multiple vulnerabilities that could allow an unauthenticated, remote attacker to gain control of the system, escalate privileges, or cause a denial of service condition on an affected device. Updates are not available.
Description
Cisco Ironport Email Security Appliance (ESA) and Web Security Appliance (WSA) include versions of Sophos Anti-Virus that contain multiple vulnerabilities that could allow an unauthenticated, remote attacker to gain control of the system, escalate privileges, or cause a denial of service (DoS) condition.
The vulnerabilities are due to the improper handling of crafted files by the Sophos Threat Detection Engine that is used by the affected devices. An unauthenticated, remote attacker could exploit these vulnerabilities by sending crafted files to an appliance that is running the affected software. A successful exploit could allow the attacker to cause a DoS condition, escalate privileges, or take control of a targeted device.
Cisco has confirmed these vulnerabilities in a security advisory; however, software updates are not yet available.
Warning Indicators
The following Cisco IronPort products are affected :
Cisco IronPort ESA (C-Series and X-Series) running Sophos Engine: 3.2.07.352_4.80 and prior.
Cisco IronPort WSA (S-Series) running Sophos Engine: 3.2.07.352_4.80 and prior.
IntelliShield Analysis
Cisco Ironport ESA and WSA appliances are vulnerable only when running Sophos Anti-Virus. Cisco appliances using other antivirus programs are not affected.
Customers may implement a workaround by using an alternate antivirus program on the Cisco IronPort ESA and WSA appliances.
Cisco is providing 30-day trial licenses for McAfee antivirus software through Ironport Technical Support as an interim workaround. Customers may obtain a 30-day McAfee license at the following link: Ironport Technical Support
Customers can enable the 30-day evaluation key by accessing Security Services > Sophos/McAfee Anti-Virus pages in the Web GUI or by executing the antivirusconfig command in the CLI.
Cisco has obtained the Sophos software updates that address these
vulnerabilities and is working toward provisioning the updates.
An unauthenticated, remote attacker could exploit these vulnerabilities to cause a DoS condition, escalate privileges, or take control of a targeted device.
Technical Information
The vulnerabilities are due to multiple memory corruption and design flaws in the Sophos Anti-Virus program that is used by Cisco ESA and WSA aplliances.
An unauthenticated, remote attacker could exploit these vulnerabilities by sending crafted files to an affected device. When the malicious files are processed by the targeted device, the attacker could cause a DoS condition, escalate privileges, or take control of a targeted device.
Safeguards
Administrators are advised to contact the vendor regarding future updates and releases.
Administrators are advised to allow only trusted users to have network access.
Administrators are advised to configure an alternate antivirus program on the Cisco IronPort Email Security Appliances and Web Security Appliances.
Administrators are advised to monitor affected systems.
Patches/Software
Software updates are not yet available; however, the configuration workarounds noted in the Analysis section of this alert and described in the Cisco advisory may eliminate the risk for customers. Cisco is working to qualify and automatically provision updates to the Cisco Ironport ESA and WSA platforms as they become available from Sophos.
Signatures
Cisco Systems Cisco Intrusion Prevention System (IPS) 6.0
The security vulnerability applies to the following combinations of products.
Primary Products:
Cisco
Cisco IronPort Email Security Appliance
7.0 Base | 7.1 Base | 7.2 Base | 7.3 Base | C160 Base | C370 Base | C370D Base | C670 Base | CX1070 Base
Cisco
Cisco IronPort Web Security Appliance
S160 Base | S360 Base | S660 Base | S670 Base
Associated Products:
N/A
Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the
Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service.
This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment. Cisco is pleased to offer a free trial of the service.
To register for full access, please visit the IntelliShield trial registration page.
LEGAL DISCLAIMER The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
