-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0135 Title: Cisco IronPort Appliances Sophos Anti-Virus Vulnerabilities [1] Version history: 22.11.2012 Initial publication Summary ======= Cisco IronPort Email Security Appliances (ESA) and Cisco IronPort Web Security Appliances (WSA) include versions of Sophos Anti-Virus that contain multiple vulnerabilities that could allow an unauthenticated, remote attacker to gain control of the system, escalate privileges, or cause a denial-of-service (DoS) condition. CVSS Base Score: 9.7 (AV:N/AC:L/Au:N/C:C/I:C/A:P) [4] Vulnerable systems ================== The following Cisco IronPort appliances, when configured to use Sophos software, are affected by this vulnerability: Cisco IronPort Email Security Appliances (C-Series and X-Series) running Sophos Engine: 3.2.07.352_4.80 and earlier. Cisco IronPort Web Security Appliances (S-Series) running Sophos Engine: 3.2.07.352_4.80 and earlier. Original Details ================ Cisco IronPort Email Security Appliances (ESA) and Cisco IronPort Web Security Appliances (WSA) include versions of Sophos Anti-Virus that contain multiple vulnerabilities that could allow an unauthenticated, remote attacker to gain control of the system, escalate privileges, or cause a denial-of-service (DoS) condition. An attacker could exploit these vulnerabilities by sending malformed files to an appliance that is running Sophos Anti-Virus. The malformed files could cause the Sophos antivirus engine to behave unexpectedly. On November 13, 2012, Cisco qualified and provisioned a Sophos engine to the Cisco IronPort ESA and WSA update servers that fixes the vulnerabilities described in this document. Future updates to the Sophos engine will be qualified and provisioned to the Cisco IronPort ESA and WSA update servers as they become available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121108-sophos Cisco is not aware of any active exploitation affecting Cisco customers. Successful exploitation of these vulnerabilities may cause the Sophos Anti-Virus engine to crash. A remote, unauthenticated attacker may be able to gain control of the system, escalate privileges, or cause a denial-of-service condition. What can you do? ================ Sophos engine version 3.2.07.363_4.83 was qualified and provisioned to the Cisco IronPort ESA and WSA update servers on November 13, 2012 and fixes the vulnerabilities described in this advisory. What to tell your users? ======================== N/A More information ================ [1] http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121108-sophos [2] http://www.sophos.com/en-us/support/knowledgebase/118424.aspx [3] http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCud10556 (registered customers only) [4] Information about CVSS: http://www.first.org/cvss/cvss-guide.html Best regards, CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJQrgUhAAoJEPpzpNLI8SVoMk0P/3woEI13IfVQQCw6qa0ZmRVV QYplzKCitiQ+YTuQlrbAJyAnYRuYc7Y4KUFd0c0lpGqzw3MqknXc0IhbM3OspwjS FFXMthVxBZJT3O76GV7/sOWwAyJT0/VmucQ0Cp9Qzb7F2LQNVgFh8DZCT3+Qx6/W 1pLw7Hlh29YfVJ6tkmissnP3qXfEF9fKIxIA/WTZeVddfb+Q/KHFWd0KSuZoNTvK xRy2rZKh1Jb+njpZxfFl+0oxUw3H4rzNonNWLYQ6nN8D7FiPKzwSB8kuKheE1uQi GrbE/zd/DNDoTffCnMqf4FVTUujfjSsrcUyYvjA9Q59fshAo8cPi3YTipDCMBDKX C7oDmR3hih4s9ehDaNx6THbqsPklgcEv/+NNHvCO7quUqH3xyonGrgWnoaTVr6qc e8BIl7/1ofHCaUZqb1wf+RoyU64typiZdbZGa3pisUOnZCWWrbxuYrW2NeSZD4K5 HLl/eLwzHjCKBPIGyVs9F2936WQC7VD4YN5TvADEjl9Kdg0Xj7HBRtqBgb4HZ8nn lvou1wH4Vy8Q22Gfxq9xsRFyushW1It6CaWUz6E0zVRhHO7zEJVR2ZZO2T0sOkGM Wfg3pverEliireVndeTDKMg4K0T/kxc5c7ZkvKgarmRJ52dOSnGgH51qZAB/Dw11 HRMO1DW+Z2r4v5oEJsL7 =5d8s -----END PGP SIGNATURE-----