Advisory: Sophos UTM: HTTPProxy coredumps after Appctrl update

Update 2: Originally the workaround was to switch off application control. The issue was resolved with a pattern update to the application control. To be able to receive this update it’s necessary to re-enable application control.

Updated the “What to do” section with steps how to delete the remaining coredumps.

UPDATE

: A new pattern call u2d-appctrl43-9-42 was recently released to resolve this issue. If you still experience problems, please contact Sophos Support.

A pattern update for the Application control of the HTTP Proxy in Sophos UTM was released on August, 7 2017 at 07:03 UTC and causing the HTTP proxy to stop. The version of the pattern causing the interruption is named u2d-appctrl43-9-39.

The following messages will appeared in the kernel logfile (kernel.log):

2017:08:07-09:11:17 sophos kernel: [1448439.994411] NAVLWorker_01[31756]: segfault at 18b09499 ip 00000000f68495da sp 00000000e8cc0fec error 4 in libc-2.11.3.so[f67cd000+16c000]

2017:08:07-09:24:28 sophos kernel: [1449231.586930] NAVLWorker_10[32179]: segfault at e78ba000 ip 00000000f68045e1 sp 00000000c36d8fbc error 4 in libc-2.11.3.so[f6788000+16c000]

2017:08:07-09:25:09 sophos kernel: [1449272.038211] NAVLWorker_01[5095]: segfault at e9122000 ip 00000000f68875e1 sp 00000000bed45fbc error 4 in libc-2.11.3.so[f680b000+16c000]

2017:08:07-09:26:18 sophos kernel: [1449341.488162] NAVLWorker_08[5501]: segfault at 4ca50b2b ip 00000000f68625df sp 00000000e7ed2fbc error 4 in libc-2.11.3.so[f67e6000+16c000]


Applies to the following Sophos products and versions

Sophos UTM

Make sure application control is enabled to make sure you get the latest update which fixes the issue.

If you receive messages that your data partition is filling up, this is most probably caused by the core dumps written by the HTTP Proxy. Please call support to get those files deleted.

Feedback and contact

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Sophos Anti-Virus for Unix: Customers currently subscribed to the 9.7.8 fixed package will automatically be upgraded to the 9.12.2 fixed package

We plan to re-subscribe customers subscribed to the SAV for Unix 9.7.8 fixed package to the SAV for Unix 9.12.2 fixed package with the next SAV for Unix release on August 1st.

This will force any endpoints still using MD5 signed certificates to automatically request SHA1 signed certificates on a SHA1 capable SEC (5.4.0 is the only one we currently support).

Applies to the following Sophos product(s) and version(s)

Sophos Anti-Virus for Unix

What To Do

no customer action is required.

Related:

  • No Related Posts

Sophos Central: Root Cause Analysis for Sophos Central Admin US-West region endpoint installations and slow performance issues from July 11 to 13, 2017

This article covers the Root Cause Analysis (RCA) for the issues experienced from July 11 to 13, 2017 with Sophos Central Admin US-West region.

The following sections are covered:

Applies to the following Sophos products and versions

Sophos Central Admin

From July 11 through July 13, Sophos Central customers hosted in our US–West region were unable to install new endpoints and may have experienced slow performance when applying new policies and other minor issues. Other management and reporting functionality within Sophos Central continued to function normally with the exception of a handful of minor issues that continued until July 17: namely, the “last updated” date for endpoints showed incorrectly and policies between users on shared machines wouldn’t switch properly. Existing endpoints remained protected throughout the entire duration of the event. There was also no material impact upon non-Endpoint and non-Server products, and no impact on customers leveraging other hosting regions.

This issue started when we released an updated endpoint and server client. While Sophos Central is designed for scalability and resiliency, this update exposed an inefficiency in the communication protocol which Sophos endpoints utilize to communicate health status to Sophos Central. This alone would have merely caused a period of slow response but unfortunately, an error in the endpoint communication logic caused a high frequency of communication with Sophos Central that resulted in an unexpected surge in traffic.

While our monitoring identified the issue immediately, it did take a few days as our engineers narrowed down the exact cause and subsequently build, test, and publish the appropriate fixes. In the interim, we added a large amount of capacity to our cloud systems to ensure that the system processed as much traffic as possible. By Thursday night, the system was back to successfully processing installs and applying policies.

We are in the process of carrying out a detailed analysis of our testing processes, our incident response approach, our communication, our design for resiliency, and all other aspects of the tools we have to prevent future incidents and to optimize our response if we do have one. We are making improvements based on this incident, some of which we’ve already implemented. We understand how much you rely on Sophos Central and we apologize for the challenges this issue has caused for you and your team.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Corrupt or encrypted items quarantined by SAVDI when option set to disabled

When using SAVDI in combination with EMC Isilon, files resulting in corrupt, error or encrypted results are quarantined even when the option to block them is not enabled.

This is caused by SAVDI’s use of the ICAP 204 and 200 ICAP return codes.

This article describes the steps to resolve this issue.

The following sections are covered:

Applies to the following Sophos products and versions

SAV Dynamic Interface 2.5.0

  1. Upgrade to SAVDI version 2.5.0
  2. Add the following line to the savdid.conf file in the scanprotocol section:

    useclean204: YES

    Note: This should result in a scanprotocol section similar to the below:

    scanprotocol {

    type: ICAP

    useclean204: YES

    }

    Note: To make use of this feature please set either block-error, block-encrypted or block-corrupt to NO

    It will only affect the block setting(s) that is(/are) set to NO.

  3. Restart the SAVDI service

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Disabled SMB1 protocol on Windows Update Server leads to update failure on Linux Server endpoint

Currently if the SMB1 protocol has been disabled on the update server* SAV Linux Servers updating from this machine will fail to update. This is because the Samba version used in the current version of Sophos Anti-Virus for Linux relies on the SMB1 protocol when updating from the Windows Server.

The following error will be seen in the syslog/messages file:

2017-02-20 08:12:33: update.failed Failed to update from primary update source. Redirecting to secondary update source.

This is resolved in the just released version of Sophos Anti-Virus for Linux (9.13.2) where the Samba libraries have been updated (version 4.6.1) for compatibility with later SMB versions.

*to check the version enter the command Get-SmbServerConfiguration in a Power Shell Window.

Applies to the following Sophos product(s) and version(s)

Sophos Anti-Virus for Linux

What To Do

Current workarounds prior to product update to this release:

One option would be to re-enable SMB1 on the Windows Server until the next release of Sophos Anti-Virus for Linux.

If SMB 1 has already been disabled on the Windows Update Server and if this cannot be re-enabled until the next SAV Linux release there are the following workarounds.

1 – Set the Secondary Server in the SEC updating policy to update directly from Sophos using your Sophos credentials. An update from the Primary location (SEC CID share) will be attempted and will fail and the update will the go directly to Sophos on-line.

This means updating may take longer and the logs will contain errors that the attempted update from the Primary Server failed.

2 – Create an IIS Web CID (See KBAs 38238, 64787) and use this as the Primary Update location.

Related:

  • No Related Posts

Wana Decrypt0r 2.0 Ransomware

We are aware of a widespread ransomware attack which is affecting several IT organizations in multiple countries. A new ransomware attack called Wanna (also known as WannaCry, WCry, WanaCrypt, WanaCrypt0r and Wana DeCrypt0r) is encrypting files and changing the extensions to: .wnry, .wcry, .wncry and .wncrypt. The malware then presents a window to the user with a ransom demand.

The ransomware spreads rapidly, like a worm, by exploiting a Windows vulnerability in the Windows Server Message Block (SMB) service, which Windows computers use to share files and printers across local networks. Microsoft addressed the issue in its MS17-010 bulletin.

Analysis seems to confirm that the attack was launched using suspected NSA code leaked by a group of hackers known as the Shadow Brokers. It uses a variant of the ShadowBrokers APT EternalBlue Exploit (CC-1353). It uses strong encryption on files such as documents, images, and videos.

Sophos Customers using Intercept X and Sophos EXP products will also see this ransomware blocked by CryptoGuard. Please note that while Intercept X and EXP will block the underlying behavior and restore deleted or encrypted files in all cases we have seen, the offending ransomware splashscreen and note may still appear.

Sophos has issued protection for this threat:

Threat name Sophos IDE Protection availability
Publication started Publication finished
Troj/Ransom-EMG cerb-ama.ide May 12, 2017 15:58 UTC May 12, 2017 17:25 UTC
Mal/Wanna-A wanna-d.ide May 12, 2017 19:06 UTC May 12, 2017 19:13 UTC
Troj/Wanna-C wanna-d.ide
May 12, 2017 19:06 UTC
May 12, 2017 19:13 UTC
Troj/Wanna-D wanna-d.ide
May 12, 2017 19:06 UTC
May 12, 2017 19:13 UTC
HPMal/Wanna-A
pdfu-bfo.ide
May 13, 2017 00:12 UTC May 13, 2017 02:18 UTC
Troj/Wanna-E rans-emh.ide May 13, 2017 04:57 UTC
May 13, 2017 07:04 UTC
Troj/Wanna-G rans-emh.ide May 13, 2017 04:57 UTC May 13, 2017 07:04 UTC
Troj/Dloadr-EDC
chisb-qv.ide
May 13, 2017 21:09 UTC May 13, 2017 23:16 UTC
Troj/Agent-AWDS
chisb-qv.ide May 13, 2017 21:09 UTC
May 13, 2017 23:16 UTC
Troj/Wanna-H
wanna-h.ide
May 14, 2017 00:47 UTC May 14, 2017 02:53 UTC
Troj/Wanna-I
wanna-i.ide May 14, 2017 04:32 UTC May 14, 2017 06:38 UTC
Troj/Ransom-EMJ
wanna-i.ide May 14, 2017 04:32 UTC
May 14, 2017 06:38 UTC
Troj/Wanna-J emote-cb.ide
May 14, 2017 19:56 UTC May 14, 2017 22:03 UTC
Troj/Wanna-K emote-cb.ide
May 14, 2017 19:56 UTC
May 14, 2017 22:03 UTC

For information on IPS protection in the Sophos XG Firewall, Sophos UTM or Cyberoam Firewall please see this article: IPS protection against the EternalBlue vulnerability CVE-2017-0144

Please ensure all of your Windows environments have been updated as described in Microsoft Security Bulletin MS17-010 – Critical. Microsoft is providing Customer Guidance for WannaCrypt attacks

Microsoft has made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download:

Windows Server 2003 SP2 x64
Windows Server 2003 SP2 x86
Windows 8 x64 Windows 8 x86
Windows XP SP2 x64 Windows XP SP3 x86 Windows XP Embedded SP3 x86

Applying the Microsoft patches MS17-010 should be enough to protect against the EternalBlue Exploit that enabled the rapid spread of the Wanna ransomware attack. Microsoft and others are advising that customers should consider blocking legacy protocols on their networks in particular SMBv1 as an additional defense-in-depth strategy to further protect against attacks.

Customers considering disabling SMBv1 should proceed with caution since this could cause software and other services that depend on SMB to stop functioning correctly. In particular, please see the following article for information regarding disabling SMBv1 for Sophos products: What to do if you decide to disable SMBv1 as a response to Wanna ransomware

The Wanna malware variants that we have seen include a lookup to a URL. If the malware gets a response, the attack stops. This has been described in some media reports as a “kill switch”. The domain for the URL was registered and activated by an independent malware analyst intending to track the malware, meaning that if current variants of the ransomware can reach the URL the attack would stop.

As a result, the National Cyber Security Centre (NCSC) provide this advice: Finding the kill switch to stop the spread of ransomware. NCSC recommends the following domains be whitelisted in your environment:

  • www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
  • www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

(remove square brackets [] when whitelisting). Sophos has categorized these domains as Other/Computers & Internet.

To ensure that no other compromised code associated with this attack is still running in memory we advise customers reboot their computers after following the actions below.

Sophos Product Actions
Sophos Intercept X None required.
Central Server Protection Standard
Ensure endpoints are updated with the latest threat protection (IDE’s).
Central Server Protection Advanced Ensure CryptoGuard is enabled.
Sophos EXP None required.
Sophos Endpoint Protection Ensure endpoints are updated with the latest threat protection (IDE’s).
Sophos XG Firewall, Sophos UTM and Cyberoam Firewall Please see this article: IPS protection against the EternalBlue vulnerability CVE-2017-0144
Sophos Home Ensure Sophos Home on protected computers is up to date. Also consider signing up for the Sophos Home Premium beta, which adds proactive protection against exploits and ransomware.

We will continue to update this article as further information becomes available.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

PCTI.DBVB.dll detected as Mal/Generic-S

On 18th May 2017 we received a small number of reports of an incorrect detection on a DLL named PCTI.DBVB.dll which forms part of an application called Docman. We updated our detection rules for this file as of 10:22 UTC on the 18th May 2017, and are no longer blocking this DLL. However customers using this software before this time, who had automatic cleanup enabled, may notice errors during the use of it.

If you are experiencing issues as a result of this detection please contact Sophos Technical Support immediately for further advice, we can provide you with a script which should restore the DLL and return Docman to normal operation.

We will continue to update this article as further information becomes available.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Advisory: Recommended steps for the Poodle vulnerability in SMTP Proxy on the Sophos UTM

This article provides the recommended steps for the Poodle vulnerability in SMTP Proxy on the Sophos UTM.

Applies to the following Sophos product(s) and version(s)

Sophos UTM

Advisory: Recommended steps for the Poodle vulnerability in SMTP Proxy on the Sophos UTM

What is the vulnerability?

For details about this vulnerability, see https://nakedsecurity.sophos.com/2014/10/16/poodle-attack-takes-bytes-out-of-your-data-heres-what-to-do/

Recommended steps for SMTP Proxy

Disable SSLv3 for SMTP and turn TLSv1.2 back on:

For versions up to 9.209 and 9.300 until 9.303 of the UTM

  • Navigate to /var/chroot-smtp/etc/
  • Open the exim.conf with vi: vi exim.conf
  • Change(or add if missing) the line openssl_options to: openssl_options = +no_sslv3

    at the end of the section #TLS

  • Note: Make sure that the values for tls_require_ciphers looks as follows before you save your changes:

    RC4+RSA:HIGH:!MD5:!ADH:!SSLv2

  • Save your changes and close the editor: :wq
  • Now restart the smtpd service by executing /var/mdw/scripts/smtp restart

For version 9.210 of the UTM

  • Navigate to /var/chroot-smtp/etc/
  • Open the exim.conf with vi: vi exim.conf
  • Change the values for tls_require_ciphers looks as follows(remove the “:!SSLv3”):

    RC4+RSA:HIGH:!MD5:!ADH:!SSLv2

  • Add the following line: openssl_options = +no_sslv3

    at the end of the section #TLS
  • Save your changes and close the editor: :wq
  • Now restart the smtpd service by executing /var/mdw/scripts/smtp restart

After I have considered the recommended steps my mailserver isn´t able to communicate with the Sophos UTM anymore – What should I do?

Some mailserver do not support TLS 1.2. In this case proceed as follows:

  • Navigate to /var/chroot-smtp/etc/
  • Open the exim.conf with vi: vi exim.conf
  • Change the line openssl_options to: openssl_options = +no_sslv3 +no_tlsv1_2
  • Save your changes and close the editor: :wq
  • Now restart the smtpd service by executing /var/mdw/scripts/smtp restart

Some mailservers only support SSLv3. In this case you would need to reactive the support for SSLv3(vulnerable in this case) as follows:

  • Navigate to /var/chroot-smtp/etc/
  • Open the exim.conf with vi: vi exim.conf
  • Remove the line openssl_options = +no_sslv3
  • Save your changes and close the editor: :wq
  • Now restart the smtpd service by executing /var/mdw/scripts/smtp restart

Related:

  • No Related Posts

Advisory: OpenSSL Security Advisory [05 Jun 2014]

On June 5th 2014 the OpenSSL Project published an advisory listing seven security defects in their software along with an update to fix them.

Certain Sophos products use the OpenSSL cryptography libraries and hence this article provides information on the issue in relation to our products.

Important: We are fully investigating this issue and will update this article to provide further information when available.

Applies to the following Sophos product(s) and version(s)

Sophos UTM

PureMessage for Unix

Sophos Email Appliance

Sophos Web Appliance

Sophos UTM Manager

Sophos Cloud

What are the OpenSSL defects?

See the table below for a list of CVE numbers and brief description.

CVE reference† Description
CVE-2014-0224 SSL/TLS MITM vulnerability
CVE-2014-0221 DTLS recursion flaw
CVE-2014-0195 DTLS invalid fragment vulnerability
CVE-2014-0198 SSL_MODE_RELEASE_BUFFERS NULL pointer dereference
CVE-2010-5298 SSL_MODE_RELEASE_BUFFERS session injection or denial of service
CVE-2014-3470 Anonymous ECDH denial of service
CVE-2014-0076 Fix for the attack described in the paper “Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack”

†CVE provides a standardized reference number and information on public security vulnerabilities and exposures. For more information see the cve.mitre.org website.

The list of defects as published by the OpenSSL Project can be found at the following link:

What versions of OpenSSL are affected?

Until the latest software release on June 5th all versions of OpenSSL in client applications were vulnerable . The flaw goes back to the origin of the code in 1998. Only versions 1.0.1 and higher of the server are vulnerable.

For more information see our naked security blog article:

Have any of the OpenSSL defects been exploited so far?

No.

Is this the same as ‘heartbleed’?

No. Heartbleed (CVE-2014-0160) was disclosed by the OpenSSL Project on April 7th 2014 and was an earlier software defect.

What Sophos products are affected?

The table below lists the affected Sophos products, associated CVE number, and further information.

Important: When our development teams complete their investigation all affected products and resolutions will be listed. If a product is not listed in the table below it is not affected in any way.

Product affected Associated CVE Further information
Sophos UTM v8.3

Sophos UTM v9.1

Sophos UTM v9.2
CVE-2014-0224

The affected versions will be fixed in the respective versions below:

v8.312(released – Please check KBA 121112 for update instructions)

v9.113 (released – Please check KBA 121112 for update instructions)

v9.203 (released – Please check KBA 121112 for update instructions)

Sophos UTM Manager v4.1 and 4.2 CVE-2014-0224

Patched in version 4.107(released):

Up2date link

MD5SUM: be4f0d72e7266882bb3cd63cdc92bb90

File size ~198MB

Patched in version 4.201(released):

Up2date link

MD5SUM: 42ddbb8f7eb30cc98a23f2f88b0e52fe

File size ~50MB

Sophos Web Appliance v3.9.x.x CVE-2014-0224 Patch in v3.9.0.2 (expected June 11th, 2014)
Sophos Email Appliance v3.7.x.x CVE-2014-0224 Patch in v3.8.0.0 (expected week commencing June 23rd 2014)
PureMessage for UNIX v6 CVE-2014-0224 Patch expected June 25th June 2014
Sophos Cloud CVE-2014-0224 Patched 17th June 2014

I have a further question, what should I do?

If something in the article is not clear leave a comment in the form below. Otherwise post your question to our community:

Related:

  • No Related Posts