|
|
|
View Notes By
|
|
|
|
Other Documents
|
|
|
|
|
Vulnerability Note VU#836088
Multiple vendors' email content/virus scanners do not adequately check "message/partial" MIME entities
OverviewEmail anti-virus scanners and content filters from multiple vendors do not adequately check messages containing "message/partial" MIME entities (RFC 2046). As a result, viruses, malicious code, or other restricted content may not be detected.
I. DescriptionSection 5.2.2 of RFC 2046 defines the "message/partial" Multipurpose Internet Mail Extensions (MIME) type:
5.2.2. Partial Subtype
The "partial" subtype is defined to allow large entities to be
delivered as several separate pieces of mail and automatically
reassembled by a receiving user agent. (The concept is similar to IP
fragmentation and reassembly in the basic Internet Protocols.) This
mechanism can be used when intermediate transport agents limit the
size of individual messages that can be sent. The media type
"message/partial" thus indicates that the body contains a fragment of
a larger entity.
Email anti-virus scanners and content filters typically search messages for signatures or patterns that are associated with known viruses, malicious code, or restricted content. Some anti-virus scanners and content filters do not detect patterns that are fragmented across different "message/partial" MIME parts in multiple email messages. For example, an anti-virus scanner that would normally detect a well-known virus in an email message might fail to do so if the virus was sent s a "message/partial" MIME entitiy split across multiple email messages.
Note that some products may corrupt messages containing "message/partial" MIME parts such that they cannot be automatically reassembled by mail user agents (MUAs). This behavior provides some protection at the cost of breaking the intended functionality of the "message/partial" MIME type.
Beyond-Security SecuriTeam has released an advisory that describes this vulnerability in further detail.
II. ImpactEmail anti-virus and content filters may not detect viruses, malicious code, or other restricted content that is sent as "message/partial" MIME parts in multiple email messages. Such messages may be automatically reassembled by MUAs, thus delivering the virus, malicious code, or restricted content to users.
III. Solution
Apply Patch
Apply a patch or upgrade from your vendor. For information about a specific vendor, check the Systems Affected section of this document or contact your vendor directly.
Block "message/partial" MIME Types
If possible, configure your mail server, firewall, or other gateway technology to block messages containing "message/partial" MIME parts. Note that this will disable the intended functionality of this MIME type, and users will be unable to send or receive messages containing "message/partial" parts.
Disable Message Reassembly
If possible, configure your MUA to not reassemble fragmented messages automatically. This will prevent your MUA from reassembling any "message/partial" MIME entities, whether or not they are malicious.
Use Desktop Anti-Virus Software
Deploy and maintain updated desktop anti-virus software.
Systems Affected
References
http://www.securiteam.com/securitynews/5YP0A0K8CM.html
http://online.securityfocus.com/bid/5696
http://online.securityfocus.com/archive/1/291993
http://www.iss.net/security_center/static/10088.php
Credit
The CERT/CC thanks Noam Rathaus of Beyond-Security SecuriTeam for reporting this vulnerability, and Menashe Eliezer of Finjan Software for information used in this document.
This document was written by Art Manion.
Other Information
| Date Public: | 2002-09-12 |
| Date First Published: | 2002-09-13 |
| Date Last Updated: | 2002-09-18 |
| CERT Advisory: | |
| CVE-ID(s): | CAN-2002-1121 |
| NVD-ID(s): | CAN-2002-1121 |
| US-CERT Technical Alerts: | |
| Metric: | 1.80 |
| Document Revision: | 32 |
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
|
Get Adobe Reader