Vulnerability Note VU#927278
Multiple vulnerabilities in X.400 implementations
Multiple vulnerabilities exist in different vendors' X.400 implementations. The impacts of these vulnerabilities are varied and range from denial of service to potential remote execution of arbitrary code.
The U.K. National Infrastructure Security Co-ordination Center (NISCC) has reported multiple vulnerabilities in different vendors' implementations of the X.400 protocols. X.400 is the short name for the set of standards defined by the ISO and the ITU that describe a messaging service. These protocols are widely used in email transport applications among other services.
Messages using the X.400 protocols are normally exchanged utilizing Basic Encoding Rules (BER) encoded ASN.1 data structures. Crafted messages that do not correctly conform to the X.400 ASN.1 definitions may cause a receiving X.400 system to behave in an unpredictable way. A test suite developed by NISCC has exposed vulnerabilities in a variety of X.400 implementations. While most of these vulnerabilities exist in ASN.1 parsing routines, some vulnerabilities may occur elsewhere.
Further information is available in NISCC Vulnerability Advisory - 006489/X400
The impacts associated with these vulnerabilities include denial of service, and potential execution of arbitrary code.
Patch or Upgrade
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Check Point||Not Affected||04 Nov 2003||06 Nov 2003|
|Clavister||Not Affected||04 Nov 2003||04 Nov 2003|
|Fujitsu||Not Affected||04 Nov 2003||08 Dec 2003|
|Hitachi||Not Affected||04 Nov 2003||06 Nov 2003|
|Intoto||Not Affected||04 Nov 2003||06 Nov 2003|
|Nortel Networks||Not Affected||04 Nov 2003||04 Nov 2003|
|Xerox Corporation||Not Affected||04 Nov 2003||25 Nov 2003|
|3Com||Unknown||04 Nov 2003||04 Nov 2003|
|Alcatel||Unknown||04 Nov 2003||04 Nov 2003|
|Apple Computer Inc.||Unknown||04 Nov 2003||04 Nov 2003|
|AT&T||Unknown||04 Nov 2003||04 Nov 2003|
|Avaya||Unknown||04 Nov 2003||04 Nov 2003|
|Borderware||Unknown||04 Nov 2003||04 Nov 2003|
|BSDI||Unknown||04 Nov 2003||04 Nov 2003|
|Cisco Systems Inc.||Unknown||04 Nov 2003||04 Nov 2003|
CVSS Metrics (Learn More)
These vulnerabilities were discovered and researched by the NISCC Vulnerability Management Team.
This document was written by Chad R Dougherty based on information provided by NISCC.
- CVE IDs: CAN-2003-0565
- Date Public: 04 Nov 2003
- Date First Published: 04 Nov 2003
- Date Last Updated: 08 Dec 2003
- Severity Metric: 6.38
- Document Revision: 11
If you have feedback, comments, or additional information about this vulnerability, please send us email.