In this section

• Home
• Support
• Knowledgebase
• Articles

Online support

• Knowledgebase
• Virus disinfection

Product maintenance

• Downloads and updates
• Documentation
• Software lifecycle

Contact support

• Talk to an expert
• Send a sample
• Email us

Support services

• Overview
• Technical Support
• Professional Services
• Technical Training

Advisory: Sophos Anti-Virus vulnerabilities reported by n.runs

This article discusses two vulnerabilities recently disclosed by n.runs. It should be noted that these vulnerabilities represent theoretical risks, and there are no known exploits of these vulnerabilities at the time of publication.

• UPX Vulnerability
  This can affect handcrafted UPX files.A corrupt UPX file causes the virus engine to crash and Sophos Anti-Virus to return 'unrecoverable error’ leading to scanning being terminated. Whilst this would ordinarily not represent a security threat, remote code execution is a theoretical possibility and the attempted repeated scanning of files could cause a denial of service. 

• BZip bomb vulnerability
  Provoked by passing a specifically malformed BZIP archive through Sophos Anti-Virus  for Windows or Linux. The maximum impact of the BZip vulnerability is a possibility that a file could be crafted which would cause a gateway or endpoint to use up all of the available space on the disc volume used for Engine temporary files. This would probably bring virus scanning to a halt as well as impacting on other applications writing files on that volume.

What to do

All versions of Sophos Anti-Virus running the virus engine, version 2.48.0 and above no longer have this vulnerability. Customers using EM Library and Sophos small business solutions will receive these updates automatically.

1. Check that you have the latest version of Sophos Anti-Virus on your computers.
2. If necessary update to virus engine version 2.48.0.

If you are unable to update, you can perform one of the following workarounds:

• Exclude scanning of such files based on filename. Any malware carried within such a file could then be caught by the on-access scanner at the point where the executable is unpacked. Excluding items from scanning is described in the following knowledgebase articles:
  • Sophos Anti-Virus for Windows: using Enterprise Console to exclude items from scanning
  • Sophos Anti-Virus for Windows: how to exclude items from scanning locally
  • Sophos Anti-Virus for Unix/Linux: exclusion handling
• For gateway products, which have archive scanning enabled, you can disable the scanning of BZip/UPX files, as described in your gateway product documentation.

Sophos would like to thank Sergio 'shadown' Alvarez of n.runs for bringing this issue to our attention.

If you need more information or guidance, then please contact technical support.

• Article ID: 28407
• Created: 8 Aug 2007
• Last updated: 9 Dec 2008

Rate this article Choose a rating Very useful Quite useful Moderately useful Not very useful Not useful at all

•  Read our search tips
• Contact one of our experts
• Suggest an improvement