Sophos Anti-Virus engine (SAVi) prior to 3.50.1, as used in VDL 4.97G 9.7.x prior to 9.7.9, 10.0.x prior to 10.0.11, and 10.3.x prior to 10.3.1 does not set an ACL for certain global and session objects, which allows local users to bypass anti-virus protection, cause a denial of service (resource consumption, CPU consumption, and eventual crash) or spoof "ready for update" messages by performing certain operations on mutexes or events including (1) DataUpdateRequest, (2) MmfMutexSAV-****, (3) MmfMutexSAV-Info, (4) ReadyForUpdateSAV-****, (5) ReadyForUpdateSAV-Info, (6) SAV-****, (7) SAV-Info, (8) StateChange, (9) SuspendedSAV-****, (10) SuspendedSAV-Info, (11) UpdateComplete, (12) UpdateMutex, (13) UpdateRequest, or (14) SophosALMonSessionInstance, as demonstrated by triggering a ReadyForUpdateSAV event and modifying the UpdateComplete, UpdateMutex, and UpdateRequest objects.
| Vulnerable Product | Search on Vulmon | Subscribe to Product |
|---|---|---|
sophos sophos anti-virus 10.0.11 |
||
sophos scanning engine |
Vulmon