Vulnerability Note VU#5648

Buffer Overflows in various email clients

Original Release date: 20 Sep 2001 | Last revised: 11 Apr 2003

Overview

Buffer Overflows in several MIME headers affect a large number of electronic mail clients.

Description

A variety of electronic mail clients (circa 1998) are vulnerable to buffer overflow attacks in the code that processes MIME headers. See the vendor statements referenced below for details specific to each mail client.

Impact

An intruder can crash vulnerable mail clients, or use them to execute arbitrary code with the privileges of the user reading the mail.

If the operating system where the vulnerable program resides does not provide strong memory protection, an intruder who is able to crash the mail clinet may be able to crash the entire operating system.

If a user with administrative access to the system (including Windows 95/Windows 98 users, as well as Unix 'root' or NT 'administrator') an intruder can use the vulnerability to gain administrative access to the system.

Solution

Fixing the problem requires modifying each email client with an appropriate patch from the vendor.

There are several things that can be done to mitigate the risk if a patch cannot be installed.

filter at the mail transfer agent (as in sendmail)
filter in procmail
filter in a firewall product

None of these really fix the problem, but they may provide some additional protection. There are at least two downsides, however: 1) performance -- the MTA has to scan each and every message for the problem, potentially becoming a bottleneck. 2) Unless you decode the information completely, you run the risk of overlooking some aspect of the problem. Most classic filtering solutions rely on fingerprints of the problem, rather than interpreting the nature of the information that is being filtered. A common example is the difficulty firewalls face when trying to filter fragmented packets. Unless the firewall implements its own reassembly routines, it may allow inappropriate trafic to pass, or block appropriate traffic.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Hewlett-Packard CompanyAffected-20 Sep 2001
Microsoft CorporationAffected-20 Sep 2001
MuttAffected-20 Sep 2001
NetBSDAffected-07 Aug 1998
Sun Microsystems Inc.Affected-07 Aug 1998
The SCO Group (SCO Linux)Affected-20 Sep 2001
Eric AllmanNot Affected-20 Sep 2001
FujitsuNot Affected-07 Aug 1998
NCRNot Affected-07 Aug 1998
OpenBSDNot Affected-20 Sep 2001
Pegasus MailNot Affected-11 Aug 1998
QUALCOMMNot Affected-07 Aug 1998
Data GeneralUnknown-07 Aug 1998
Lotus SoftwareUnknown07 Aug 199828 Aug 2000
The SCO Group (SCO UnixWare)Unknown-07 Aug 1998
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This document was written by Shawn V Hernan.

Other Information

  • CVE IDs: Unknown
  • CERT Advisory: CA-1998-10
  • Date Public: 27 Jul 98
  • Date First Published: 20 Sep 2001
  • Date Last Updated: 11 Apr 2003
  • Severity Metric: 81.00
  • Document Revision: 6

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.