CVE-2014-1213 Information

Description

Sophos Anti-Virus engine (SAVi) before 3.50.1 as used in VDL 4.97G 9.7.x before 9.7.9 10.0.x before 10.0.11 and 10.3.x before 10.3.1 does not set an ACL for certain global and session objects which allows local users to bypass anti-virus protection cause a denial of service (resource consumption CPU consumption and eventual crash) or spoof \ready for update\ messages by performing certain operations on mutexes or events including (1) DataUpdateRequest (2) MmfMutexSAV-**** (3) MmfMutexSAV-Info (4) ReadyForUpdateSAV-**** (5) ReadyForUpdateSAV-Info (6) SAV-**** (7) SAV-Info (8) StateChange (9) SuspendedSAV-**** (10) SuspendedSAV-Info (11) UpdateComplete (12) UpdateMutex (13) UpdateRequest or (14) SophosALMonSessionInstance as demonstrated by triggering a ReadyForUpdateSAV event and modifying the UpdateComplete UpdateMutex and UpdateRequest objects.

Reference

http://osvdb.org/102762 http://packetstormsecurity.com/files/125024/Sophos-Anti-Virus-Denial-Of-Service.html http://seclists.org/fulldisclosure/2014/Feb/1 http://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-1213/ http://www.securityfocus.com/archive/1/530915/100/0/threaded http://www.securityfocus.com/bid/65286 http://www.securitytracker.com/id/1029713 http://www.sophos.com/en-us/support/knowledgebase/2300/7200/1031/120401.aspx