Cisco IronPort Appliances Sophos Anti-Virus Vulnerabilities (cisco-sa-20121108-sophos)

2013-09-25T00:00:00
ID CISCO-SA-20121108-SOPHOS.NASL
Type nessus
Reporter Tenable
Modified 2018-11-15T00:00:00

Description

The remote Cisco IronPort appliance has a version of the Sophos Anti-Virus engine that is 3.2.07.352_4.80 or earlier. It is, therefore, reportedly affected by the following vulnerabilities :

  • An integer overflow exists when parsing Visual Basic 6 controls.

  • A memory corruption issue exists in the Microsoft CAB parsers.

  • A memory corruption issue exists in the RAR virtual machine standard filters.

  • A privilege escalation vulnerability exists in the network update service.

  • A stack-based buffer overflow issue exists in the PDF file decrypter.

An unauthenticated, remote attacker could leverage these issues to gain control of the system, escalate privileges, or cause a denial-of- service.

                                        
                                            #TRUSTED 0e7ffe686c50a8554f7e9b22e6886bff24ad2d858d44914f5808ccedd039518d3bac734feef8f2c80df907c441ba5d0d24b473d12fe11192ee4977ccaea6fc6723f055b75869b2106db60b40d1afa98c68b7a7e4fee4f50d25da423634aba9f90f98d7333778916df1e59f335916ec93d844710b472b2ac8fc407a8f9c2f03baa321d8a5befdb514f643375c4ec1cd48b84e5a8c27d6e9e53bdc5953136a1fd91e779fcad2b2ac5adadaecc19e1bbf89c4941232cad85636b9c230f434c46ba9113ca87ac8895e6917275c33fc774589caa4e7cd33ae56b0db6a188f58d0b3cd5ea6472971356dfa246411710c6d3d06e5d52179f8b5cbe84fb2b4bc67db863c71475bdf3bc9636fcd9242dc64fdec4dbef9aa9425213eaa66b44ae63d08df67b022ae56a19c706e5905ae4247430f04a449e676288fcef122614e142bd171389d5b5a79481905e4a20ff5a1e902a196e351fd4af202e462eb0322f3bdf0f555533418b0f09e6606b2fc22b56e79128003d8f90ebc56bb73bfb3547be190c2624c8f6cd1ff237c3f8ba6c99154c8d709d04aa35fc4424b97f1a520a9cb1ca1c16bd637e2bf23682945b2cf5a96610a62de63ac2eadd2a35dd3591f1817c1315fa87a8de3c85b9dae0bcf54101ad0562f2316bd2d17687975970531416d8e6ed7cde1152678f1d9038cfdb0219be8fb282fd713aa1c83ee7d3bbbd6c096d5fee2
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(70125);
  script_version("1.9");
  script_set_attribute(attribute:"plugin_modification_date", value:"2018/11/15");

  script_bugtraq_id(56401);
  script_xref(name:"CERT", value:"662243");
  script_xref(name:"CISCO-BUG-ID", value:"CSCud10546");
  script_xref(name:"CISCO-BUG-ID", value:"CSCud10556");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20121108-sophos");
  script_xref(name:"IAVA", value:"2012-A-0203");

  script_name(english:"Cisco IronPort Appliances Sophos Anti-Virus Vulnerabilities (cisco-sa-20121108-sophos)");
  script_summary(english:"Checks the Sophos Engine Version");

  script_set_attribute(attribute:"synopsis", value:
"The remote device uses an antivirus program that is affected by
multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote Cisco IronPort appliance has a version of the Sophos
Anti-Virus engine that is 3.2.07.352_4.80 or earlier. It is,
therefore, reportedly affected by the following vulnerabilities :

  - An integer overflow exists when parsing Visual Basic 6
    controls.

  - A memory corruption issue exists in the Microsoft CAB
    parsers.

  - A memory corruption issue exists in the RAR virtual
    machine standard filters.

  - A privilege escalation vulnerability exists in the
    network update service.

  - A stack-based buffer overflow issue exists in the PDF
    file decrypter.

An unauthenticated, remote attacker could leverage these issues to
gain control of the system, escalate privileges, or cause a denial-of-
service.");
  script_set_attribute(attribute:"see_also", value:"https://lock.cmpxchg8b.com/sophailv2.pdf");
  script_set_attribute(attribute:"see_also", value:"http://www.sophos.com/en-us/support/knowledgebase/118424.aspx");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121108-sophos
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a16e77af");
  script_set_attribute(attribute:"solution", value:
"Update to Sophos engine version 3.2.07.363_4.83 as discussed in Cisco
Security Advisory cisco-sa-20121108-sophos.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2012/11/05");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/11/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/09/25");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:cisco:email_security_appliance");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:cisco:web_security_appliance");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:sophos:sophos_anti-virus");

  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.");
  script_family(english:"CISCO");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled");
  script_require_ports("Host/AsyncOS/Cisco Email Security Appliance", "Host/AsyncOS/Cisco Web Security Appliance");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("ssh_func.inc");



if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)
  enable_ssh_wrappers();
else disable_ssh_wrappers();

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

version_cmd = get_kb_item("Host/AsyncOS/version_cmd");
if (isnull(version_cmd)) audit(AUDIT_OS_NOT, "Cisco AsyncOS");


version = NULL;
if (get_kb_item("Host/AsyncOS/Cisco Email Security Appliance"))
{
  sock_g = ssh_open_connection();
  if (!sock_g) exit(1, "Failed to open an SSH connection.");

  cmd = "antivirusstatus sophos";
  output = ssh_cmd(cmd:cmd+'\r\n', nosudo:TRUE, nosh:TRUE);

  ssh_close_connection();

  if ("SAV Engine Version" >< output)
  {
    match = eregmatch(pattern:"SAV Engine Version[ \t]+([0-9][0-9._]+)", string:output);
    if (isnull(match)) exit(1, "Failed to extract the SAV engine version.");
    version = match[1];
  }
  else if ("Unknown command or missing feature key" >< output)
  {
    exit(0, "The remote Cisco Email Security Appliance does not include a version of Sophos Anti-Virus.");
  }
  else
  {
    exit(1, "Unexpected output from running the command '"+cmd+"'.");
  }
}
else if (get_kb_item("Host/AsyncOS/Cisco Web Security Appliance"))
{
  if ("SAV Engine Version" >< version_cmd)
  {
    match = eregmatch(pattern:"SAV Engine Version[ \t]+([0-9][0-9._]+)", string:version_cmd);
    if (isnull(match)) exit(1, "Failed to extract the SAV engine version.");
    version = match[1];
  }
  else exit(0, "The remote Cisco Web Security Appliance does not include a version of Sophos Anti-Virus.");
}
else exit(0, "The host is not a Cisco IronPort ESA or WSA.");


# nb: Cisco's advisory says 3.2.07.352_4.80 and earlier are affected
#     but tells customers that version 3.2.07.363_4.83 fixes the issues.
recommended_version = NULL;
if (version =~ "^[0-9][0-9.]+_[0-9][0-9.]+$")
{
  version_num = str_replace(find:"_", replace:".", string:version);
  if (ver_compare(ver:version_num, fix:"3.2.07.352.4.80", strict:FALSE) <= 0) recommended_version = "3.2.07.363_4.83";
}
else if (version =~ "^[0-9][0-9.]+$")
{
  if (ver_compare(ver:version, fix:"4.80", strict:FALSE) <= 0) recommended_version = "4.83";
}
# These next two cases shouldn't happen.
else if (isnull(version)) exit(1, "Failed to identify if the remote Cisco IronPort appliance uses Sophos Anti-Virus.");
else exit(1, "Unrecognized format for the Sophos Anti-Virus engine version ("+version+") on the remote Cisco IronPort appliance.");


if (isnull(recommended_version)) audit(AUDIT_INST_VER_NOT_VULN, 'Sophos engine', version);

if (report_verbosity > 0)
{
  report =
    '\n  Sophos engine installed version   : '+ version +
    '\n  Sophos engine recommended version : '+ recommended_version +
    '\n';
  security_hole(port:0, extra:report);
}
else security_hole(0);