Vulnerability Note VU#428230
Multiple vulnerabilities in S/MIME implementations
Overview
Multiple vulnerabilities exist in different vendors' S/MIME (Secure/Multipurpose Internet Mail Extensions) implementations. The impacts of these vulnerabilities are varied and range from denial of service to potential remote execution of arbitrary code.
Description
The U.K. National Infrastructure Security Co-ordination Center (NISCC) has reported multiple vulnerabilities in different vendors' implementations of the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol. S/MIME allows binary objects and attachments to be sent across an email system. S/MIME extends the MIME specification by including the secure data in an attachment encoded using ASN.1. If one of the entities in an email system knowingly or unknowingly send an exceptional ASN.1 element that cannot be handled properly by another party, the behavior of the application receiving such an element is unpredictable. A test suite developed by NISCC has exposed vulnerabilities in a variety of S/MIME implementations. While most of these vulnerabilities exist in ASN.1 parsing routines, some vulnerabilities may occur elsewhere. Note that cryptographic libraries that implement S/MIME frequently provide more general-purpose cryptographic utility. In such libraries, it is common for ASN.1 parsing code to be shared between S/MIME and other cryptographic functions. Further information is available in NISCC Vulnerability Advisory - 006489/SMIME |
Impact
The impacts associated with these vulnerabilities include denial of service, and potential execution of arbitrary code. |
Solution
Patch or Upgrade |
Systems Affected (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Hitachi | Affected | 04 Nov 2003 | 06 Nov 2003 |
| Check Point | Not Affected | 04 Nov 2003 | 06 Nov 2003 |
| Clavister | Not Affected | 04 Nov 2003 | 04 Nov 2003 |
| Fujitsu | Not Affected | 04 Nov 2003 | 08 Dec 2003 |
| Intoto | Not Affected | 04 Nov 2003 | 06 Nov 2003 |
| Nortel Networks | Not Affected | 04 Nov 2003 | 04 Nov 2003 |
| Sun Microsystems Inc. | Not Affected | 04 Nov 2003 | 14 Nov 2003 |
| Tumbleweed Communications Corp. | Not Affected | - | 13 Nov 2003 |
| Xerox Corporation | Not Affected | 04 Nov 2003 | 25 Nov 2003 |
| 3Com | Unknown | 04 Nov 2003 | 04 Nov 2003 |
| Alcatel | Unknown | 04 Nov 2003 | 04 Nov 2003 |
| Apple Computer Inc. | Unknown | 04 Nov 2003 | 04 Nov 2003 |
| At&T | Unknown | 04 Nov 2003 | 04 Nov 2003 |
| Avaya | Unknown | 04 Nov 2003 | 04 Nov 2003 |
| Borderware | Unknown | 04 Nov 2003 | 04 Nov 2003 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
- http://www.uniras.gov.uk/vuls/2003/006489/smime.htm
- http://www.ietf.org/rfc/rfc2633.txt
- http://www.itu.int/ITU-T/asn1/
Credit
These vulnerabilities were discovered and researched by the NISCC Vulnerability Management Team.
This document was written by Chad R Dougherty based on information from NISCC.
Other Information
- CVE IDs: CAN-2003-0564
- Date Public: 04 Nov 2003
- Date First Published: 04 Nov 2003
- Date Last Updated: 08 Dec 2003
- Severity Metric: 8.51
- Document Revision: 13
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.