Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Vulnerability Alert

Multiple Cisco Ironport Appliances Sophos Threat Engine Vulnerabilities

 
Threat Type:
IntelliShield ID:27388
Version:1
First Published:2012 November 08 22:28 GMT
Last Published:2012 November 09 03:28 GMT
Port: Not available
Urgency:Unlikely Use
Credibility:Confirmed
Severity:Moderate Damage
CVSS Base:9.7 CVSS Calculator
CVSS Version 2.0
CVSS Temporal:8.7
 
Version Summary:Cisco Ironport Email Security Appliances and Web Security Appliances include versions of Sophos Anti-Virus that contain multiple vulnerabilities that could allow an unauthenticated, remote attacker to gain control of the system, escalate privileges, or cause a denial of service condition on an affected device. Updates are not available.
 
 
Description
Cisco Ironport Email Security Appliance (ESA) and Web Security Appliance (WSA) include versions of Sophos Anti-Virus that contain multiple vulnerabilities that could allow an unauthenticated, remote attacker to gain control of the system, escalate privileges, or cause a denial of service (DoS) condition.

The vulnerabilities are due to the improper handling of crafted files by the Sophos Threat Detection Engine that is used by the affected devices. An unauthenticated, remote attacker could exploit these vulnerabilities by sending crafted files to an appliance that is running the affected software. A successful exploit could allow the attacker to cause a DoS condition, escalate privileges, or take control of a targeted device.

Cisco has confirmed these vulnerabilities in a security advisory; however, software updates are not yet available.
 
Warning Indicators
The following Cisco IronPort products are affected :
  • Cisco IronPort ESA (C-Series and X-Series) running Sophos Engine: 3.2.07.352_4.80 and prior.
  • Cisco IronPort WSA (S-Series) running Sophos Engine: 3.2.07.352_4.80 and prior.
 
IntelliShield Analysis
Cisco Ironport ESA and WSA appliances are vulnerable only when running Sophos Anti-Virus. Cisco appliances using other antivirus programs are not affected.

Customers may implement a workaround by using an alternate antivirus program on the Cisco IronPort ESA and WSA appliances.

Cisco is providing 30-day trial licenses for McAfee antivirus software through Ironport Technical Support as an interim workaround. Customers may obtain a 30-day McAfee license at the following link: Ironport Technical Support

Customers can enable the 30-day evaluation key by accessing Security Services > Sophos/McAfee Anti-Virus pages in the Web GUI or by executing the antivirusconfig command in the CLI.

Cisco has obtained the Sophos software updates that address these vulnerabilities and is working toward provisioning the updates.
 
Vendor Announcements
Cisco has released a security advisory for Cisco bug IDs CSCud10556 and CSCud10546 at the following link: cisco-sa-20121108-sophos

Sophos has released a security advisory at the following link: Tavis Ormandy finds vulnerabilities in Sophos Anti-Virus products
 
Impact
An unauthenticated, remote attacker could exploit these vulnerabilities to cause a DoS condition, escalate privileges, or take control of a targeted device.
 
Technical Information
The vulnerabilities are due to multiple memory corruption and design flaws in the Sophos Anti-Virus program that is used by Cisco ESA and WSA aplliances.

An unauthenticated, remote attacker could exploit these vulnerabilities by sending crafted files to an affected device. When the malicious files are processed by the targeted device, the attacker could cause a DoS condition, escalate privileges, or take control of a targeted device.
 
Safeguards
Administrators are advised to contact the vendor regarding future updates and releases.

Administrators are advised to allow only trusted users to have network access.

Administrators are advised to configure an alternate antivirus program on the Cisco IronPort Email Security Appliances and Web Security Appliances.

Administrators are advised to monitor affected systems.
 
Patches/Software
Software updates are not yet available; however, the configuration workarounds noted in the Analysis section of this alert and described in the Cisco advisory may eliminate the risk for customers. Cisco is working to qualify and automatically provision updates to the Cisco Ironport ESA and WSA platforms as they become available from Sophos.
 
Alert History
 
Initial Release


Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
CiscoCisco IronPort Email Security Appliance 7.0 Base | 7.1 Base | 7.2 Base | 7.3 Base | C160 Base | C370 Base | C370D Base | C670 Base | CX1070 Base
CiscoCisco IronPort Web Security Appliance S160 Base | S360 Base | S660 Base | S670 Base

Associated Products:
N/A




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield