HTTP: Sophos Anti-Virus Malicious Visio File Attack

This signature detects attempts to exploit a known vulnerability in Sophos Anti-Virus. Sophos is vulnerable to a signed integer overflow. If a malformed Microsoft Visio file is scanned for viruses by Sophos AV, the Sophos process could be taken over and arbitrary code executed as SYSTEM. Microsoft Visio does not need to be installed in order to exploit Sophos AV in this manner. Because of the complexity of Visio files, it is possible this signature can false positive and therefore should only be used in Internet-facing policies.

Extended Description

A remote heap overflow vulnerability exists in Sophos Anti-Virus Library when scanning Visio files. This issue is due to a failure of the library to properly bounds check user-supplied input prior to copying data to an internal memory buffer.

Affected Products

4d webstar

Short Name
HTTP:STC:DL:SOPHOS-MAL-VISIO
Severity
Critical
Recommended
False
Recommended Action
Drop
Category
HTTP
Keywords
Anti-Virus Attack CVE-2005-2768 File Malicious Sophos Visio bid:14362
Release Date
09/05/2010
Supported Platforms

srx-branch-12.3

srx-19.3

srx-branch-19.3

vsrx3bsd-19.2

srx-branch-19.4

vsrx-19.4

mx-12.3

mx-19.4

vmx-19.4

mx-19.3

vsrx3bsd-19.4

srx-19.4

vsrx-12.3

vmx-19.3

vsrx-19.2

srx-12.3

Sigpack Version
3375
False Positive
Unknown
Vendors

Sophos

4d

CVSS Score

7.5

Found a potential security threat?