69 lines
No EOL
3.1 KiB
Text
69 lines
No EOL
3.1 KiB
Text
List, I've completed the second paper in my series analyzing Sophos
|
|
Antivirus internals, titled "Practical Attacks against Sophos
|
|
Antivirus". As the name suggests, this paper describes realistic
|
|
attacks against networks using Sophos products.
|
|
|
|
The paper includes a working pre-authentication remote root exploit
|
|
that requires zero-interation, and could be wormed within the next few
|
|
days. I would suggest administrators deploying Sophos products study
|
|
my results urgently, and implement the recommendations.
|
|
|
|
I've also included a section on best practices for Sophos users,
|
|
intended to help administrators of high-value networks minimise the
|
|
potential damage to their assets caused by Sophos.
|
|
|
|
The paper is available to download at the link below.
|
|
|
|
https://lock.cmpxchg8b.com/sophailv2.pdf
|
|
http://www.exploit-db.com/docs/22510.pdf
|
|
|
|
A working exploit for Sophos 8.0.6 on Mac is available, however the
|
|
techniques used in the exploit easily transfer to Windows and Linux,
|
|
due to multiple critical implementation flaws described in the paper.
|
|
Testcases for the other flaws described in the paper are available on
|
|
request.
|
|
|
|
https://lock.cmpxchg8b.com/sophail-rev3-exploit.tar.gz
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/22509.tar.gz
|
|
|
|
It is my understanding that Sophos plan to publish their own advice to
|
|
their customers today. I have not been given an opportunity to review
|
|
the advice in advance, so cannot comment on it's accuracy.
|
|
|
|
I have had a working exploit since September, but Sophos requested I
|
|
give them two months to prepare for this publication before discussing
|
|
it. A timeline of our interactions is included in the paper. I believe
|
|
CERT are also preparing an advisory. I'm currently working on the
|
|
third paper in the series, which I'll announce at a later date. Please
|
|
contact me if you would like to be a reviewer. I will add any last
|
|
minute updates to twitter, at http://twitter.com/taviso.
|
|
|
|
If you would like to learn more about Sophos internals, you can read
|
|
my previous paper in the series here
|
|
https://lock.cmpxchg8b.com/sophail.pdf
|
|
|
|
I've reproduced a section of the conclusion below.
|
|
|
|
Tavis.
|
|
|
|
Conclusion
|
|
|
|
As demonstrated in this paper, installing Sophos Antivirus exposes
|
|
machines to considerable risk. If Sophos do not urgently improve their
|
|
security posture, their continued deployment causes significant risk
|
|
to global networks and infrastructure.
|
|
|
|
In response to early access to this report, Sophos did allocate some
|
|
resources to resolve the issues discussed, however they were cearly
|
|
ill-equipped to handle the output of one co-operative, non-adversarial
|
|
security researcher. A sophisticated state-sponsored or highly
|
|
motivated attacker could devastate the entire Sophos user base with
|
|
ease.
|
|
|
|
Sophos claim their products are deployed throughout healthcare,
|
|
government, finance and even the military. The chaos a motivated
|
|
attacker could cause to these systems is a realistic global threat.
|
|
For this reason, Sophos products should only ever be considered for
|
|
low-value non-critical systems and never deployed on networks or
|
|
environments where a complete compromise by adversaries would be
|
|
inconvenient. |