Sophos Anti-Virus email virus may not be detected

sophos-email-virus-undetected (15192) The risk level is classified as MediumMedium Risk

Description:

Sophos Anti-Virus could allow a virus embedded in an email to pass undetected. If a qmail mail server employs the type of Delivery Status Notification (DSN) where the original email is not included in the bounce message, Sophos Anti-Virus engine may let the virus pass without detection. A remote attacker could send an email without any MIME boundary definitions to a qmail server that generates DSNs without including the original email in the bounce message to spread the virus.


Consequences:

Bypass Security

Remedy:

Upgrade to the latest version of Sophos Anti-Virus for your operating system, available from the Sophos Web site. See References.

References:

  • Advisory: Sophos Anti-Virus 3.78 MIME handling: Support News.
  • Sophos Web site: Sophos Anti-Virus.
  • BID-9650: Sophos Anti-Virus Delivery Status Notification Handling Scanner Bypass Vulnerability
  • CVE-2004-2088: Sophos Anti-Virus 3.78 allows remote attackers to bypass virus scanning by using a qmail generated Delivery Status Notification (DSN) where the original email is not included in the bounce message.
  • OSVDB ID: 45184: Sophos Anti-Virus qmail Generated Delivery Status Notification (DSN) Scanning Bypass
  • SA10855: Sophos Anti-Virus MIME Header Handling Vulnerability
  • SECTRACK ID: 1009042: Sophos Anti-Virus Can Be Hung With Specially Crafted MIME Headers

Platforms Affected:

  • Sophos Sophos Anti-Virus 3.78

Reported:

Feb 12, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page