Evidence of active exploit against email servers!! (sophos)
William Burns
William.Burns at AEROFLEX.COM
Thu Jul 28 20:30:30 IST 2005
[ The following text is in the "ISO-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
Hello:
One of the aeroflex mail admins is using MailScanner w/ Sophos, and he
thinks that he's found a problem w/ sopohos antivirus.
Does anyone else have a problem?
-Bill
David Fry wrote:
> gents,
>
> Okay - I do believe something is actively in the wild taking advantage
> of the Sophos exploit.
>
> After having a couple of hiccups with our pop server and even as
> I was installing the latest build of Sophos on that box ... I saw the
> following on our mail gateway.
>
> *****************************************************
> Virus Scanning: Denial of Service attack detected!
> Virus Scanning: Denial of Service attack detected!
> Virus Scanning: Denial of Service attack detected!
> *****************************************************
>
> The frequency of the log message was every 6 minutes!
>
> Now here is the kicker. As soon as I reinstalled Sophos with the latest
> build AND restarted MailScanner (which calls the SophosSAVI perl
> module) ... the warning messages ceased!!
>
> So, I would highly encourage you to look at your logs. I do believe we
> have a live one here.
>
> I have some 80+ messages in my MailScanner inbound queue - I suspect
> the exploit is sitting in there. I am taking a look at that now -
> mainly to make
> sure I don't have any legitimate emails snagged there.
>
> I believe this is the first instance of an actual vulnerability
> exploit with Sophos
> itself.
>
> Keep an eye out gents!
>
> regards,
>
>
> -david
>
David Fry wrote:
> TITLE:
>
>Sophos Anti-Virus Unspecified Buffer Overflow Vulnerability
>
>SECUNIA ADVISORY ID:
>SA16245
>
>VERIFY ADVISORY:
>http://secunia.com/advisories/16245/
>
>CRITICAL:
>Highly critical
>
>IMPACT:
>System access
>
>WHERE:
>>From remote
>
>SOFTWARE:
>Sophos Anti-Virus 4.x
>http://secunia.com/product/5391/
>Sophos Anti-Virus 3.x
>http://secunia.com/product/164/
>
>DESCRIPTION:
>A vulnerability has been reported in Sophos Anti-Virus, which
>potentially can be exploited by malicious people to compromise a
>vulnerable system.
>
>The vulnerability is caused due to an unspecified error and can be
>exploited to cause a heap-based buffer overflow.
>
>The vulnerability has been reported in Sophos Anti-Virus Small
>Business Edition and in Sophos Anti-Virus versions prior to 3.96.0
>and prior to 4.5.4.
>
>SOLUTION:
>The vendor has included a fix in the following versions:
>* Version 3.96.0 of Sophos Anti-Virus (all supported Windows
>platforms, all supported Unix platforms, NetWare, OS/2, and OpenVMS)
>* Version 4.5.4 of Sophos Anti-Virus (all platforms)
>
>Fixes are reportedly expected to be available by 2005-07-29 for
>Sophos Anti-Virus Small Business Edition on all Windows platforms,
>and within the next 14 days for the other remaining versions.
>
>PROVIDED AND/OR DISCOVERED BY:
>The vendor credits Alex Wheeler.
>
>ORIGINAL ADVISORY:
>Sophos:
>http://www.sophos.com/support/knowledgebase/article/3409.html
>
>----------------------------------------------------------------------
>
>About:
>This Advisory was delivered by Secunia as a free service to help
>everybody keeping their systems up to date against the latest
>vulnerabilities.
>
>Subscribe:
>http://secunia.com/secunia_security_advisories/
>
>Definitions: (Criticality, Where etc.)
>http://secunia.com/about_secunia_advisories/
>
>
>Please Note:
>Secunia recommends that you verify all advisories you receive by
>clicking the link.
>Secunia NEVER sends attached files with advisories.
>Secunia does not advise people to install third party patches, only
>use those supplied by the vendor.
>
>----------------------------------------------------------------------
>
>Unsubscribe: Secunia Security Advisories
>http://secunia.com/sec_adv_unsubscribe/?email=david.fry%40ifrsys.com
>
>----------------------------------------------------------------------
>
>
>
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list