| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAAOnDKdDhxoky7BxsQRECNbOsv00DLVzghtJV-SfW4boY44Fww@mail.gmail.com> Date: Mon, 5 Nov 2012 16:17:02 +0000 From: Michele Orru <antisnatchor@...il.com> To: Tavis Ormandy <taviso@...xchg8b.com> Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com Subject: Re: multiple critical vulnerabilities in sophos products Also, "They told me they will work on this, and will improve their internal security practices." is just ridiculous. I have the same feeling you had while reaching out with them, when the results from some of my product pentests cannot be disclosed even after patching. I wish we could always go Full Disclosure, like old times. Unfortunately lawsuits are a scary beast. Finally, honestly, not interested in buying a new kitchen for my house. Cheers antisnatchor On Mon, Nov 5, 2012 at 3:29 PM, Michele Orru <antisnatchor@...il.com> wrote: > Reading the paper now. > The previous one about internals was awesome. > > "enumerating badness" keyword :D ROFL > > Cheers > antisnatchor > > On Mon, Nov 5, 2012 at 3:14 PM, Tavis Ormandy <taviso@...xchg8b.com> wrote: >> List, I've completed the second paper in my series analyzing Sophos >> Antivirus internals, titled "Practical Attacks against Sophos >> Antivirus". As the name suggests, this paper describes realistic >> attacks against networks using Sophos products. >> >> The paper includes a working pre-authentication remote root exploit >> that requires zero-interation, and could be wormed within the next few >> days. I would suggest administrators deploying Sophos products study >> my results urgently, and implement the recommendations. >> >> I've also included a section on best practices for Sophos users, >> intended to help administrators of high-value networks minimise the >> potential damage to their assets caused by Sophos. >> >> The paper is available to download at the link below. >> >> https://lock.cmpxchg8b.com/sophailv2.pdf >> >> A working exploit for Sophos 8.0.6 on Mac is available, however the >> techniques used in the exploit easily transfer to Windows and Linux, >> due to multiple critical implementation flaws described in the paper. >> Testcases for the other flaws described in the paper are available on >> request. >> >> https://lock.cmpxchg8b.com/sophail-rev3-exploit.tar.gz >> >> It is my understanding that Sophos plan to publish their own advice to >> their customers today. I have not been given an opportunity to review >> the advice in advance, so cannot comment on it's accuracy. >> >> I have had a working exploit since September, but Sophos requested I >> give them two months to prepare for this publication before discussing >> it. A timeline of our interactions is included in the paper. I believe >> CERT are also preparing an advisory. I'm currently working on the >> third paper in the series, which I'll announce at a later date. Please >> contact me if you would like to be a reviewer. I will add any last >> minute updates to twitter, at http://twitter.com/taviso. >> >> If you would like to learn more about Sophos internals, you can read >> my previous paper in the series here >> https://lock.cmpxchg8b.com/sophail.pdf >> >> I've reproduced a section of the conclusion below. >> >> Tavis. >> >> Conclusion >> >> As demonstrated in this paper, installing Sophos Antivirus exposes >> machines to considerable risk. If Sophos do not urgently improve their >> security posture, their continued deployment causes significant risk >> to global networks and infrastructure. >> >> In response to early access to this report, Sophos did allocate some >> resources to resolve the issues discussed, however they were cearly >> ill-equipped to handle the output of one co-operative, non-adversarial >> security researcher. A sophisticated state-sponsored or highly >> motivated attacker could devastate the entire Sophos user base with >> ease. >> >> Sophos claim their products are deployed throughout healthcare, >> government, finance and even the military. The chaos a motivated >> attacker could cause to these systems is a realistic global threat. >> For this reason, Sophos products should only ever be considered for >> low-value non-critical systems and never deployed on networks or >> environments where a complete compromise by adversaries would be >> inconvenient. >> >> -- >> ------------------------------------- >> taviso@...xchg8b.com | pgp encrypted mail preferred >> ------------------------------------------------------- >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > > > -- > /antisnatchor -- /antisnatchor _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists