Vulnerability Note VU#836088

Multiple vendors' email content/virus scanners do not adequately check "message/partial" MIME entities

Original Release date: 13 Sep 2002 | Last revised: 18 Sep 2002

Overview

Email anti-virus scanners and content filters from multiple vendors do not adequately check messages containing "message/partial" MIME entities (RFC 2046). As a result, viruses, malicious code, or other restricted content may not be detected.

Description

Section 5.2.2 of RFC 2046 defines the "message/partial" Multipurpose Internet Mail Extensions (MIME) type:

    5.2.2.  Partial Subtype

       The "partial" subtype is defined to allow large entities to be
       delivered as several separate pieces of mail and automatically
       reassembled by a receiving user agent.  (The concept is similar to IP
       fragmentation and reassembly in the basic Internet Protocols.)  This
       mechanism can be used when intermediate transport agents limit the
       size of individual messages that can be sent.  The media type
       "message/partial" thus indicates that the body contains a fragment of
       a larger entity.

Email anti-virus scanners and content filters typically search messages for signatures or patterns that are associated with known viruses, malicious code, or restricted content. Some anti-virus scanners and content filters do not detect patterns that are fragmented across different "message/partial" MIME parts in multiple email messages. For example, an anti-virus scanner that would normally detect a well-known virus in an email message might fail to do so if the virus was sent s a "message/partial" MIME entitiy split across multiple email messages.

Note that some products may corrupt messages containing "message/partial" MIME parts such that they cannot be automatically reassembled by mail user agents (MUAs). This behavior provides some protection at the cost of breaking the intended functionality of the "message/partial" MIME type.

Beyond-Security SecuriTeam has released an advisory that describes this vulnerability in further detail.

Impact

Email anti-virus and content filters may not detect viruses, malicious code, or other restricted content that is sent as "message/partial" MIME parts in multiple email messages. Such messages may be automatically reassembled by MUAs, thus delivering the virus, malicious code, or restricted content to users.

Solution


Apply Patch

Apply a patch or upgrade from your vendor. For information about a specific vendor, check the Systems Affected section of this document or contact your vendor directly.


Block "message/partial" MIME Types

If possible, configure your mail server, firewall, or other gateway technology to block messages containing "message/partial" MIME parts. Note that this will disable the intended functionality of this MIME type, and users will be unable to send or receive messages containing "message/partial" parts.

Disable Message Reassembly

If possible, configure your MUA to not reassemble fragmented messages automatically. This will prevent your MUA from reassembling any "message/partial" MIME entities, whether or not they are malicious.

Use Desktop Anti-Virus Software

Deploy and maintain updated desktop anti-virus software.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Check PointAffected13 Sep 200218 Sep 2002
Command SoftwareAffected04 Sep 200218 Sep 2002
GFI SoftwareAffected13 Sep 200218 Sep 2002
Roaring Penguin SoftwareAffected-18 Sep 2002
F-SecureNot Affected04 Sep 200218 Sep 2002
Finjan SoftwareNot Affected10 Sep 200213 Sep 2002
SymantecNot Affected04 Sep 200218 Sep 2002
Aladdin Knowledge SystemsUnknown04 Sep 200213 Sep 2002
Cisco Systems Inc.Unknown-13 Sep 2002
Computer AssociatesUnknown04 Sep 200213 Sep 2002
CyberSoftUnknown04 Sep 200213 Sep 2002
Network AssociatesUnknown13 Sep 200218 Sep 2002
SophosUnknown04 Sep 200213 Sep 2002
Trend MicroUnknown04 Sep 200213 Sep 2002
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

The CERT/CC thanks Noam Rathaus of Beyond-Security SecuriTeam for reporting this vulnerability, and Menashe Eliezer of Finjan Software for information used in this document.

This document was written by Art Manion.

Other Information

  • CVE IDs: CAN-2002-1121
  • Date Public: 12 Sep 2002
  • Date First Published: 13 Sep 2002
  • Date Last Updated: 18 Sep 2002
  • Severity Metric: 1.80
  • Document Revision: 32

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.