Portcullis shuts down Sophos antivirus bug

UK-based security services firm Portcullis has discovered a flaw in Sophos Antivirus that could allow attackers to inject malicious code and disable the software.

Portcullis shuts down Sophos antivirus bug
Portcullis shuts down Sophos antivirus bug

Portcullis penetration tester Pablo Catalina revealed the problem in an advisory this week, after giving Sophos a chance to fix the problem.

The bug, CVE-2014-2385, is a multiple cross site scripting (XSS) vulnerability in the web user interface of Sophos Antivirus for Linux, which is used to configure the software.

Portcullis explained that the interface “does not sanitise several input parameters before sending them back to the browser, so an attacker could inject code inside these parameters, including JavaScript code. This vulnerability could allow a potential attacker to inject arbitrary code in the client browser. Exploit code is not required.”

Giving more details, Catalina told SCMagazineUK.com via email: “An attacker could inject code into the Sophos administration panel, and perform any actions on the Sophos administration such as disable the anti-virus.”

Portcullis first alerted Sophos to the problem in February. Sophos fixed it in version 9.6.1 of the software, released in May - but asked Portcullis to delay announcing the flaw until now.

A Sophos spokesperson said: “We would like to thank Portcullis for identifying this vulnerability and for disclosing it responsibly.”

Analysing the problem, industry expert Paco Hope, a principal consultant at security consultancy Cigital, highlighted the fact that it affects the configuration console used by the highest-level admin and privileged users of Sophos Antivirus.

Hope told SC via email: “There is a software engineering priority reflected in this finding: the actual anti-virus protection on workstations is defending on the front lines and it gets top priority. Back-office components, like the management console, often get less security effort. The intrinsic irony is that back-office components are often used by privileged users, so their vulnerabilities often have a high potential impact.”

The Sophos spokesperson told SC: “This vulnerability could in theory have allowed an attacker who already had access to a Linux system to get elevated privileges, although in practice it is quite unlikely that they would have been able to do so. To exploit the vulnerability the attacker would need to have user access to a Linux system with Sophos Antivirus and the web UI enabled, as well as know the user name and password for the web UI.”

Pablo Catalina said he thought the software was vulnerable for more than a year, though Sophos said it was not aware of any active exploits in the wild.

The company added: “If products are configured in Sophos Enterprise Console to use the ‘recommended' subscription, users will have received the new version automatically.”

The Sophos flaw follows last week's revelation of a similar bug in Microsoft's Malware Protection Engine software, discovered by Google information security engineer Tavis Ormandy. Microsoft said in a 17 June advisory that it had fixed bug CVE-2014-2779 which could have allowed a denial of service attack on its anti-virus and anti-spyware software.

Information on the Sophos vulnerability has been posted at http://www.sophos.com/support/knowledgebase/121135.aspx.