Vulnerability Note VU#5648

A variety of electronic mail clients (circa 1998) are vulnerable to buffer overflow attacks in the code that processes MIME headers. See the vendor statements referenced below for details specific to each mail client.

An intruder can crash vulnerable mail clients, or use them to execute arbitrary code with the privileges of the user reading the mail.

If the operating system where the vulnerable program resides does not provide strong memory protection, an intruder who is able to crash the mail clinet may be able to crash the entire operating system.

If a user with administrative access to the system (including Windows 95/Windows 98 users, as well as Unix 'root' or NT 'administrator') an intruder can use the vulnerability to gain administrative access to the system.

Fixing the problem requires modifying each email client with an appropriate patch from the vendor.

There are several things that can be done to mitigate the risk if a patch cannot be installed.

filter at the mail transfer agent (as in sendmail)
filter in procmail
filter in a firewall product

None of these really fix the problem, but they may provide some additional protection. There are at least two downsides, however: 1) performance -- the MTA has to scan each and every message for the problem, potentially becoming a bottleneck. 2) Unless you decode the information completely, you run the risk of overlooking some aspect of the problem. Most classic filtering solutions rely on fingerprints of the problem, rather than interpreting the nature of the information that is being filtered. A common example is the difficulty firewalls face when trying to filter fragmented packets. Unless the firewall implements its own reassembly routines, it may allow inappropriate trafic to pass, or block appropriate traffic.