A privilege escalation vulnerability was discovered and responsibly disclosed on 17 August, 2019 by Lasse Trolle Borup of Danish Cyber Defence that impacted specific versions of Sophos Anti-Virus for macOS. All supported versions were fixed by 5 December 2019. The only action required for customers is to verify they are running the fixed version.
An unprivileged, authenticated attacker with the necessary privileges to create hardlinks on a filesystem can trick a privileged service into writing log entries into an arbitrary attacker-controlled file location. By carefully constructing filesystem entries the attacker can embed malicious data into those log files, which can potentially be interpreted as commands by other software, such as the macOS launchd periodic service. This can lead to escalation of privilege.
The following versions include the appropriate fix to address this vulnerability
To see the version, click on the Sophos shield on the right half of the menu bar, click on the “Open Sophos Endpoint…” button, and click on the blue “About” text in the bottom right corner of the “Sophos Endpoint” window. The version will be displayed in the upper left of the “Sophos Endpoint” window.
To see the version, click on the Sophos shield on the right half of the menu bar, click on the ellipsis (…) menu in the upper right corner of the drop down window, and click on the “About” menu item.
To see the version, click on the Sophos shield on the right half of the menu bar, click on the “About Sophos Anti-Virus” menu item.
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.