"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
Sophos has recently been notified of a vulnerability in Sophos Anti-Virus interface (SAVi) running on windows platforms. The vulnerability allows a remote user to manipulate the SAVi due to a misconfigured Access Control List (ACL). This could result in protection being disabled or bypassed by an attacker.
The vulnerability has been fixed in the January engine (version 3.50.1) by limiting updating the access control list (ACL)
Which Sophos Update Manager (SUM) software subscriptions that will include this engine fix
Note: Previous Recommended and Previous Extended will receive this update in February. See this article on the forthcoming versions of Sophos for more information.
What is the fix
The vulnerability has been fixed in the January engine by limiting the DACL to a specific user group. From the January release onwards, SAVi on windows will need to run as one of the following user accounts or groups:
Applies to the following Sophos product(s) and version(s)
Sophos Anti-Virus for Windows 2000+PureMessage for Microsoft ExchangePureMessage for Lotus DominoSophos for Microsoft SharePointSAV InterfaceSAV Dynamic Interface
Important: This applies to all Sophos Anti-virus product except SAVi or SAVDi. See below for more on these products.
To ensure that you are running the latest version of the engine (version 3.50.1) and that security changes take effect, you must either restart the Sophos Anti-Virus service or restart your computer.
To check which version of the engine is running on your computers, refer to this article: SAV for Windows.
Note: The new DACL already includes the user used to run the engine in the background.
Changes to SAV32CLI
SAV32CLI now requires Administrator permissions on Windows 2000/XP, if SAV32CLI is launched without the required permissions the following error will occur:
SAVI interface could not be initialized
From the January release onwards, SAVi and SAVDi on Windows will only run as one of the following user accounts or groups:
If an application without these permissions attempts to use SAVi it will receive the following error return code:
0xa0040200 – SOPHOS_SAVI_ERROR_ INITIALISING
On SAVDi the error message will be:
Sophos wants to thank Graham Sutherland from Portcullis Computer Security Ltd for bringing this to our attention and working with us to fix the issue.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.