search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Buffer Overflows in various email clients

Vulnerability Note VU#5648

Original Release Date: 2001-09-20 | Last Revised: 2003-04-11

Overview

Buffer Overflows in several MIME headers affect a large number of electronic mail clients.

Description

A variety of electronic mail clients (circa 1998) are vulnerable to buffer overflow attacks in the code that processes MIME headers. See the vendor statements referenced below for details specific to each mail client.

Impact

An intruder can crash vulnerable mail clients, or use them to execute arbitrary code with the privileges of the user reading the mail.

If the operating system where the vulnerable program resides does not provide strong memory protection, an intruder who is able to crash the mail clinet may be able to crash the entire operating system.

If a user with administrative access to the system (including Windows 95/Windows 98 users, as well as Unix 'root' or NT 'administrator') an intruder can use the vulnerability to gain administrative access to the system.

Solution

Fixing the problem requires modifying each email client with an appropriate patch from the vendor.

There are several things that can be done to mitigate the risk if a patch cannot be installed.

filter at the mail transfer agent (as in sendmail)
filter in procmail
filter in a firewall product

None of these really fix the problem, but they may provide some additional protection. There are at least two downsides, however: 1) performance -- the MTA has to scan each and every message for the problem, potentially becoming a bottleneck. 2) Unless you decode the information completely, you run the risk of overlooking some aspect of the problem. Most classic filtering solutions rely on fingerprints of the problem, rather than interpreting the nature of the information that is being filtered. A common example is the difficulty firewalls face when trying to filter fragmented packets. Unless the firewall implements its own reassembly routines, it may allow inappropriate trafic to pass, or block appropriate traffic.

Vendor Information

5648
Expand all

Hewlett-Packard Company

Updated:  September 20, 2001

Status

  Vulnerable

Vendor Statement

"The version of dtmail supplied by HP, as part of HP's CDE product, is vulnerable. Patches in process"

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft Corporation

Updated:  September 20, 2001

Status

  Vulnerable

Vendor Statement

See http://www.microsoft.com/security/bulletins/ms98-008.htm

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mutt

Updated:  September 20, 2001

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Upgrade to 0.93.2 or later.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetBSD

Updated:  August 07, 1998

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems Inc.

Updated:  August 07, 1998

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

The SCO Group (SCO Linux)

Updated:  September 20, 2001

Status

  Vulnerable

Vendor Statement

See ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/011

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Eric Allman

Updated:  September 20, 2001

Status

  Not Vulnerable

Vendor Statement

Sendmail is not vulnerable but can be used to mitigate the risk.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu

Updated:  August 07, 1998

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NCR

Updated:  August 07, 1998

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD

Updated:  September 20, 2001

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

They don't ship any of the affected products

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Pegasus Mail

Updated:  August 11, 1998

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

QUALCOMM

Updated:  August 07, 1998

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Data General

Updated:  August 07, 1998

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lotus Software

Notified:  August 07, 1998 Updated:  August 28, 2000

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

The SCO Group (SCO UnixWare)

Updated:  August 07, 1998

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

This document was written by Shawn V Hernan.

Other Information

CVE IDs: None
CERT Advisory: CA-1998-10
Severity Metric: 81.00
Date Public: 1998-07-27
Date First Published: 2001-09-20
Date Last Updated: 2003-04-11 22:52 UTC
Document Revision: 6

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.