search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Multiple vendors' email content/virus scanners do not adequately check "message/partial" MIME entities

Vulnerability Note VU#836088

Original Release Date: 2002-09-13 | Last Revised: 2002-09-18

Overview

Email anti-virus scanners and content filters from multiple vendors do not adequately check messages containing "message/partial" MIME entities (RFC 2046). As a result, viruses, malicious code, or other restricted content may not be detected.

Description

Section 5.2.2 of RFC 2046 defines the "message/partial" Multipurpose Internet Mail Extensions (MIME) type:

5.2.2.  Partial Subtype

   The "partial" subtype is defined to allow large entities to be
   delivered as several separate pieces of mail and automatically
   reassembled by a receiving user agent.  (The concept is similar to IP
   fragmentation and reassembly in the basic Internet Protocols.)  This
   mechanism can be used when intermediate transport agents limit the
   size of individual messages that can be sent.  The media type
   "message/partial" thus indicates that the body contains a fragment of
   a larger entity.
Email anti-virus scanners and content filters typically search messages for signatures or patterns that are associated with known viruses, malicious code, or restricted content. Some anti-virus scanners and content filters do not detect patterns that are fragmented across different "message/partial" MIME parts in multiple email messages. For example, an anti-virus scanner that would normally detect a well-known virus in an email message might fail to do so if the virus was sent s a "message/partial" MIME entitiy split across multiple email messages.

Note that some products may corrupt messages containing "message/partial" MIME parts such that they cannot be automatically reassembled by mail user agents (MUAs). This behavior provides some protection at the cost of breaking the intended functionality of the "message/partial" MIME type.

Beyond-Security SecuriTeam has released an advisory that describes this vulnerability in further detail.

Impact

Email anti-virus and content filters may not detect viruses, malicious code, or other restricted content that is sent as "message/partial" MIME parts in multiple email messages. Such messages may be automatically reassembled by MUAs, thus delivering the virus, malicious code, or restricted content to users.

Solution


Apply Patch

Apply a patch or upgrade from your vendor. For information about a specific vendor, check the Systems Affected section of this document or contact your vendor directly.


Block "message/partial" MIME Types

If possible, configure your mail server, firewall, or other gateway technology to block messages containing "message/partial" MIME parts. Note that this will disable the intended functionality of this MIME type, and users will be unable to send or receive messages containing "message/partial" parts.

Disable Message Reassembly

If possible, configure your MUA to not reassemble fragmented messages automatically. This will prevent your MUA from reassembling any "message/partial" MIME entities, whether or not they are malicious.

Use Desktop Anti-Virus Software

Deploy and maintain updated desktop anti-virus software.

Vendor Information

836088
 
Affected   Unknown   Unaffected

Check Point

Notified:  September 13, 2002 Updated:  September 18, 2002

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The following response from Check Point appears in the SecuriTeam advisory:


    Neither the latest 4.1 nor the latest NG versions of FW-1 are vulnerable to this problem. A few details follow:

    1. FW-1 does not directly analyze the body of attachments. In that respect, the vulnerability is not applicable to FW-1.

    2. FW-1 has the capability to easily filter these types of messages, by specifying "message/partial" in the "Strip MIME of type:" section of the resource definition.

    3. FW-1 does serve as a platform for third party vendors to check attachments for viruses via the "CVP" OPSEC mechanism. When defining a CVP server, a message box is presented to the administrator (when approving the resource) that says:

    "When CVP server is used it is recommended to strip MIME of type 'message/partial'. Do you want to add 'message/partial'?"

    Pressing "Yes" will automatically add 'message/partial' to the appropriate place in the resource definition.

    We therefore believe is safe to say that not only are we not vulnerable to this problem ourselves, we also protect 3rd party opsec partners from falling for this pitfall.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

Command Software

Notified:  September 04, 2002 Updated:  September 18, 2002

Status

  Vulnerable

Vendor Statement

Internal evaluation has revealed that Command AntiVirus(tm) for Microsoft Exchange is vulnerable. Command is working on possible solution.

Additionally, should known malicious code be delievered to a client in this manner, the Command AntiVirus will detect it when the message is reassembled to the client computer.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

GFI Software

Notified:  September 13, 2002 Updated:  September 18, 2002

Status

  Vulnerable

Vendor Statement

GFI MailSecurity for Exchange/SMTP 7.2 has been updated to detect this exploit as "fragmented message" through its email exploit detection engine and quarantines it at server level.

We also have released an advisory:

As well as an online test:

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Roaring Penguin Software

Updated:  September 18, 2002

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

We at Roaring Penguin Software Inc. have updated our products to deal
with the vulnerability at
http://online.securityfocus.com/archive/1/291514

MIMEDefang:  We have released version 2.21 of MIMEDefang at
http://www.roaringpenguin.com/mimedefang/  The default filter
blocks message/partial types.

CanIt:  We have released version 1.2-F17 of our commercial CanIt
anti-spam solution.  This release is based on MIMEDefang 2.21.

MIME-Tools:  We have updated our patched version of MIME-Tools at
http://www.roaringpenguin.com/mimedefang/MIME-tools-5.411a-RP-Patched.tar.gz
MIME-Tools is a Perl module for parsing MIME messages.  The patched
version now can descend into message/partial as well as message/rfc822
attachments.  Our patched version also fixes various other vulnerabilities
in the official package (see
http://online.securityfocus.com/archive/1/275282)

Regards,

David.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see
http://quantumlab.net/pine_privacy_guard/

iD8DBQE9gMmHxu9pkTSrlboRAry3AJ4jE+4XurEOIqPtFt8nxRP6/xE2lQCfdAOw
QZHmeIlayd8mkMeKTpE0tDU=
=M+gb
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

F-Secure

Notified:  September 04, 2002 Updated:  September 18, 2002

Status

  Not Vulnerable

Vendor Statement

F-Secure is not vulnerable. The F-Secure products recognize multipart messages and contain settings that enables the administrator to control the handling of such messages.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Finjan Software

Notified:  September 10, 2002 Updated:  September 13, 2002

Status

  Not Vulnerable

Vendor Statement

Finjan Software products are not vulnerable. SurfinGate for E-Mail reassembles fragmented messages, and then performs security analysis and applies content management rules. SurfinShield is installed on end users machines, gets the reassembled message from the E-Mail client, and proactively monitors the behavior of active content included or attached to the E-Mail message.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Symantec

Notified:  September 04, 2002 Updated:  September 18, 2002

Status

  Not Vulnerable

Vendor Statement

Symantec has been aware for some time of the potential malicious use of this email feature. As a result, all currently supported Symantec gateway products, by default, block multi-part MIME messages at the gateway. While this is a configurable feature of Symantec gateway products and can be enabled if multi-part email is required, the rejection of segmented messages should be a part of a company's comprehensive security policy to restrict potentially harmful content from the internal network.

Additionally, should known malicious code be delivered to a client computer in this manner, the Symantec and Norton AntiVirus scanning products will detect it when it is reassembled and downloaded to the client computer and/or during attempted execution on the targeted computer. As always, if previously unknown malicious code is being distributed in this manner, Symantec Security Response will react and send updated virus definitions via LiveUpdate to detect the new threat.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Symantec has published this advisory.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Aladdin Knowledge Systems

Notified:  September 04, 2002 Updated:  September 13, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cisco Systems Inc.

Updated:  September 13, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Computer Associates

Notified:  September 04, 2002 Updated:  September 13, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CyberSoft

Notified:  September 04, 2002 Updated:  September 13, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Network Associates

Notified:  September 13, 2002 Updated:  September 18, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sophos

Notified:  September 04, 2002 Updated:  September 13, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Trend Micro

Notified:  September 04, 2002 Updated:  September 13, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The following response from GFI appears in the SecuriTeam advisory:

We have confirmed that our product InterScan VirusWall 3.5x for NT is affected by the vulnerability mentioned by Beyond Security Ltd. regarding fragmented e-mails. In order to resolve this problem, we have released a patch in order to address this particular concern for InterScan VirusWall for NT. The said patch can be downloaded from the following FTP server:


The said hotfix is named:
    Hotfix_build1494_v352_Smtp_case6593.zip

The hotfix mentioned above contains a Readme file which should include the necessary instructions on how to apply the patch.

Our other mail gateway product, InterScan MSS v5.01 is not affected by this vulnerability provided that you apply the latest hotfixes which can be downloaded from our website at:


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

The CERT/CC thanks Noam Rathaus of Beyond-Security SecuriTeam for reporting this vulnerability, and Menashe Eliezer of Finjan Software for information used in this document.

This document was written by Art Manion.

Other Information

CVE IDs: CVE-2002-1121
Severity Metric: 1.80
Date Public: 2002-09-12
Date First Published: 2002-09-13
Date Last Updated: 2002-09-18 22:14 UTC
Document Revision: 32

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.