SkipNavigation
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric



 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

 

Vulnerability Note VU#836088

Multiple vendors' email content/virus scanners do not adequately check "message/partial" MIME entities

Overview

Email anti-virus scanners and content filters from multiple vendors do not adequately check messages containing "message/partial" MIME entities (RFC 2046). As a result, viruses, malicious code, or other restricted content may not be detected.

I. Description

Section 5.2.2 of RFC 2046 defines the "message/partial" Multipurpose Internet Mail Extensions (MIME) type:

    5.2.2.  Partial Subtype

       The "partial" subtype is defined to allow large entities to be
       delivered as several separate pieces of mail and automatically
       reassembled by a receiving user agent.  (The concept is similar to IP
       fragmentation and reassembly in the basic Internet Protocols.)  This
       mechanism can be used when intermediate transport agents limit the
       size of individual messages that can be sent.  The media type
       "message/partial" thus indicates that the body contains a fragment of
       a larger entity.

Email anti-virus scanners and content filters typically search messages for signatures or patterns that are associated with known viruses, malicious code, or restricted content. Some anti-virus scanners and content filters do not detect patterns that are fragmented across different "message/partial" MIME parts in multiple email messages. For example, an anti-virus scanner that would normally detect a well-known virus in an email message might fail to do so if the virus was sent s a "message/partial" MIME entitiy split across multiple email messages.

Note that some products may corrupt messages containing "message/partial" MIME parts such that they cannot be automatically reassembled by mail user agents (MUAs). This behavior provides some protection at the cost of breaking the intended functionality of the "message/partial" MIME type.

Beyond-Security SecuriTeam has released an advisory that describes this vulnerability in further detail.

II. Impact

Email anti-virus and content filters may not detect viruses, malicious code, or other restricted content that is sent as "message/partial" MIME parts in multiple email messages. Such messages may be automatically reassembled by MUAs, thus delivering the virus, malicious code, or restricted content to users.

III. Solution

Apply Patch

Apply a patch or upgrade from your vendor. For information about a specific vendor, check the Systems Affected section of this document or contact your vendor directly.

Block "message/partial" MIME Types

If possible, configure your mail server, firewall, or other gateway technology to block messages containing "message/partial" MIME parts. Note that this will disable the intended functionality of this MIME type, and users will be unable to send or receive messages containing "message/partial" parts.

Disable Message Reassembly

If possible, configure your MUA to not reassemble fragmented messages automatically. This will prevent your MUA from reassembling any "message/partial" MIME entities, whether or not they are malicious.

Use Desktop Anti-Virus Software

Deploy and maintain updated desktop anti-virus software.

Systems Affected

VendorStatusDate NotifiedDate Updated
Aladdin Knowledge SystemsUnknown13-Sep-2002
Check PointVulnerable18-Sep-2002
Cisco Systems Inc.Unknown13-Sep-2002
Command SoftwareVulnerable18-Sep-2002
Computer AssociatesUnknown13-Sep-2002
CyberSoftUnknown13-Sep-2002
F-SecureNot Vulnerable18-Sep-2002
Finjan SoftwareNot Vulnerable13-Sep-2002
GFI SoftwareVulnerable18-Sep-2002
Network AssociatesUnknown18-Sep-2002
Roaring Penguin SoftwareVulnerable18-Sep-2002
SophosUnknown13-Sep-2002
SymantecNot Vulnerable18-Sep-2002
Trend MicroUnknown13-Sep-2002

References


http://www.securiteam.com/securitynews/5YP0A0K8CM.html
http://online.securityfocus.com/bid/5696
http://online.securityfocus.com/archive/1/291993
http://www.iss.net/security_center/static/10088.php

Credit

The CERT/CC thanks Noam Rathaus of Beyond-Security SecuriTeam for reporting this vulnerability, and Menashe Eliezer of Finjan Software for information used in this document.

This document was written by Art Manion.

Other Information

Date Public:2002-09-12
Date First Published:2002-09-13
Date Last Updated:2002-09-18
CERT Advisory: 
CVE-ID(s):CAN-2002-1121
NVD-ID(s):CAN-2002-1121
US-CERT Technical Alerts: 
Metric:1.80
Document Revision:32

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2002 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader