SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#428230

Multiple vulnerabilities in S/MIME implementations

Overview

Multiple vulnerabilities exist in different vendors' S/MIME (Secure/Multipurpose Internet Mail Extensions) implementations. The impacts of these vulnerabilities are varied and range from denial of service to potential remote execution of arbitrary code.

I. Description

The U.K. National Infrastructure Security Co-ordination Center (NISCC) has reported multiple vulnerabilities in different vendors' implementations of the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol. S/MIME allows binary objects and attachments to be sent across an email system. S/MIME extends the MIME specification by including the secure data in an attachment encoded using ASN.1. If one of the entities in an email system knowingly or unknowingly send an exceptional ASN.1 element that cannot be handled properly by another party, the behavior of the application receiving such an element is unpredictable.

A test suite developed by NISCC has exposed vulnerabilities in a variety of S/MIME implementations. While most of these vulnerabilities exist in ASN.1 parsing routines, some vulnerabilities may occur elsewhere. Note that cryptographic libraries that implement S/MIME frequently provide more general-purpose cryptographic utility. In such libraries, it is common for ASN.1 parsing code to be shared between S/MIME and other cryptographic functions.

Due to the general lack of specific vulnerability information, this document covers multiple vulnerabilities in different S/MIME implementations. Information about individual vendors is available in the Systems Affected section.

Further information is available in NISCC Vulnerability Advisory - 006489/SMIME

II. Impact

The impacts associated with these vulnerabilities include denial of service, and potential execution of arbitrary code.

III. Solution

Patch or Upgrade


Apply a patch or upgrade as appropriate. Information about specific vendors is available in the Systems Affected section of this document.

Systems Affected

VendorStatusDate Updated
3ComUnknown4-Nov-2003
AlcatelUnknown4-Nov-2003
Apple Computer Inc.Unknown4-Nov-2003
At&TUnknown4-Nov-2003
AvayaUnknown4-Nov-2003
BorderwareUnknown4-Nov-2003
BSDIUnknown4-Nov-2003
Check PointNot Vulnerable6-Nov-2003
Cisco Systems Inc.Unknown4-Nov-2003
ClavisterNot Vulnerable4-Nov-2003
Computer AssociatesUnknown4-Nov-2003
ConectivaUnknown4-Nov-2003
COVERT LabsUnknown4-Nov-2003
Cray Inc.Unknown4-Nov-2003
D-Link SystemsUnknown4-Nov-2003
Data GeneralUnknown4-Nov-2003
DebianUnknown4-Nov-2003
eSoftUnknown4-Nov-2003
Extreme NetworksUnknown3-Dec-2003
F5 NetworksUnknown4-Nov-2003
Foundry Networks Inc.Unknown4-Nov-2003
FreeBSDUnknown4-Nov-2003
FujitsuNot Vulnerable8-Dec-2003
Global Technology AssociatesUnknown4-Nov-2003
Guardian Digital Inc. Unknown4-Nov-2003
Hewlett-Packard CompanyUnknown4-Nov-2003
HitachiVulnerable6-Nov-2003
IBMUnknown4-Nov-2003
IBM-zSeriesUnknown4-Nov-2003
IBM eServerUnknown4-Nov-2003
Ingrian NetworksUnknown4-Nov-2003
IntelUnknown4-Nov-2003
IntotoNot Vulnerable6-Nov-2003
IP FilterUnknown4-Nov-2003
Juniper NetworksUnknown4-Nov-2003
LachmanUnknown4-Nov-2003
LinksysUnknown4-Nov-2003
Lotus SoftwareUnknown4-Nov-2003
Lucent TechnologiesUnknown4-Nov-2003
MandrakeSoftUnknown4-Nov-2003
Microsoft CorporationUnknown4-Nov-2003
MontaVista SoftwareUnknown4-Nov-2003
Multi-Tech Systems Inc.Unknown4-Nov-2003
MultinetUnknown4-Nov-2003
NEC CorporationUnknown4-Nov-2003
NetBSDUnknown4-Nov-2003
NetfilterUnknown4-Nov-2003
NetScreen Technologies Inc.Unknown4-Nov-2003
Network ApplianceUnknown4-Nov-2003
NokiaUnknown4-Nov-2003
Nortel NetworksNot Vulnerable4-Nov-2003
NovellUnknown4-Nov-2003
OpenBSDUnknown4-Nov-2003
Openwall GNU/*/LinuxUnknown4-Nov-2003
Oracle CorporationUnknown4-Nov-2003
Red Hat Inc.Unknown4-Nov-2003
Redback Networks Inc.Unknown4-Nov-2003
Riverstone NetworksUnknown4-Nov-2003
SCOUnknown4-Nov-2003
Secure Computing CorporationUnknown4-Nov-2003
SecureWorxUnknown4-Nov-2003
SequentUnknown4-Nov-2003
SGIUnknown4-Nov-2003
Sony CorporationUnknown4-Nov-2003
StonesoftUnknown4-Nov-2003
Sun Microsystems Inc.Not Vulnerable14-Nov-2003
SuSE Inc.Unknown4-Nov-2003
Symantec CorporationUnknown4-Nov-2003
Tumbleweed Communications Corp.Not Vulnerable13-Nov-2003
TurboLinuxUnknown4-Nov-2003
UnisysUnknown4-Nov-2003
WatchGuardUnknown4-Nov-2003
Wind River Systems Inc.Unknown4-Nov-2003
WirexUnknown4-Nov-2003
Xerox CorporationNot Vulnerable25-Nov-2003
zyXELUnknown4-Nov-2003

References


http://www.uniras.gov.uk/vuls/2003/006489/smime.htm
http://www.ietf.org/rfc/rfc2633.txt
http://www.itu.int/ITU-T/asn1/

Credit

These vulnerabilities were discovered and researched by the NISCC Vulnerability Management Team.

This document was written by Chad R Dougherty based on information from NISCC.

Other Information

Date Public11/04/2003
Date First Published11/04/2003 01:48:20 PM
Date Last Updated12/08/2003
CERT Advisory 
CVE-ID(s)CAN-2003-0564
NVD-ID(s)CAN-2003-0564
US-CERT Technical Alerts 
Metric8.51
Document Revision13

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2003 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader