Multiple vendors' email content/virus scanners do not adequately check "message/partial" MIME entities

Overview

Email anti-virus scanners and content filters from multiple vendors do not adequately check messages containing “message/partial” MIME entities (RFC 2046). As a result, viruses, malicious code, or other restricted content may not be detected.

Description

Section 5.2.2 of RFC 2046 defines the “message/partial” Multipurpose Internet Mail Extensions (MIME) type:

5.2.2. Partial Subtype

The "partial" subtype is defined to allow large entities to be
delivered as several separate pieces of mail and automatically
reassembled by a receiving user agent. (The concept is similar to IP
fragmentation and reassembly in the basic Internet Protocols.) This
mechanism can be used when intermediate transport agents limit the
size of individual messages that can be sent. The media type
"message/partial" thus indicates that the body contains a fragment of
a larger entity.
Email anti-virus scanners and content filters typically search messages for signatures or patterns that are associated with known viruses, malicious code, or restricted content. Some anti-virus scanners and content filters do not detect patterns that are fragmented across different “message/partial” MIME parts in multiple email messages. For example, an anti-virus scanner that would normally detect a well-known virus in an email message might fail to do so if the virus was sent s a “message/partial” MIME entitiy split across multiple email messages.

Note that some products may corrupt messages containing “message/partial” MIME parts such that they cannot be automatically reassembled by mail user agents (MUAs). This behavior provides some protection at the cost of breaking the intended functionality of the “message/partial” MIME type.

Beyond-Security SecuriTeam has released an advisory that describes this vulnerability in further detail.

---

Impact

Email anti-virus and content filters may not detect viruses, malicious code, or other restricted content that is sent as “message/partial” MIME parts in multiple email messages. Such messages may be automatically reassembled by MUAs, thus delivering the virus, malicious code, or restricted content to users.

---

Solution

Apply Patch

Apply a patch or upgrade from your vendor. For information about a specific vendor, check the Systems Affected section of this document or contact your vendor directly.

---

Block “message/partial” MIME Types

If possible, configure your mail server, firewall, or other gateway technology to block messages containing “message/partial” MIME parts. Note that this will disable the intended functionality of this MIME type, and users will be unable to send or receive messages containing “message/partial” parts.

Disable Message Reassembly

If possible, configure your MUA to not reassemble fragmented messages automatically. This will prevent your MUA from reassembling any “message/partial” MIME entities, whether or not they are malicious.

Use Desktop Anti-Virus Software

Deploy and maintain updated desktop anti-virus software.

---

Vendor Information

836088

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Check Point __ Affected

Notified: September 13, 2002 Updated: September 18, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The following response from Check Point appears in the SecuriTeam advisory:

Neither the latest 4.1 nor the latest NG versions of FW-1 are vulnerable to this problem. A few details follow:

1. FW-1 does not directly analyze the body of attachments. In that respect, the vulnerability is not applicable to FW-1.

_2. FW-1 has the capability to easily filter these types of messages, by specifying “message/partial” in the “Strip MIME of type:” section of the resource definition. _

3. FW-1 does serve as a platform for third party vendors to check attachments for viruses via the “CVP” OPSEC mechanism. When defining a CVP server, a message box is presented to the administrator (when approving the resource) that says:

_“When CVP server is used it is recommended to strip MIME of type ‘message/partial’. Do you want to add ‘message/partial’?” _

Pressing “Yes” will automatically add ‘message/partial’ to the appropriate place in the resource definition.

We therefore believe is safe to say that not only are we not vulnerable to this problem ourselves, we also protect 3rd party opsec partners from falling for this pitfall.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23836088 Feedback>).

Command Software __ Affected

Notified: September 04, 2002 Updated: September 18, 2002

Status

Affected

Vendor Statement

Internal evaluation has revealed that Command AntiVirus™ for Microsoft Exchange is vulnerable. Command is working on possible solution.

Additionally, should known malicious code be delievered to a client in this manner, the Command AntiVirus will detect it when the message is reassembled to the client computer.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23836088 Feedback>).

GFI Software __ Affected

Notified: September 13, 2002 Updated: September 18, 2002

Status

Affected

Vendor Statement

GFI MailSecurity for Exchange/SMTP 7.2 has been updated to detect this exploit as “fragmented message” through its email exploit detection engine and quarantines it at server level.

We also have released an advisory:

<http://www.gfi.com/news/en/GFISEC16092002.htm&gt;
As well as an online test:

<http://www.gfi.com/emailsecuritytest/&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23836088 Feedback>).

Roaring Penguin Software __ Affected

Updated: September 18, 2002

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

Hello,
We at Roaring Penguin Software Inc. have updated our products to deal with the vulnerability at ``<http://online.securityfocus.com/archive/1/291514>``
MIMEDefang: We have released version 2.21 of MIMEDefang at ``<http://www.roaringpenguin.com/mimedefang/>`` The default filter blocks message/partial types.
CanIt: We have released version 1.2-F17 of our commercial CanIt anti-spam solution. This release is based on MIMEDefang 2.21.
MIME-Tools: We have updated our patched version of MIME-Tools at ``<http://www.roaringpenguin.com/mimedefang/MIME-tools-5.411a-RP-Patched.tar.gz>`` MIME-Tools is a Perl module for parsing MIME messages. The patched version now can descend into message/partial as well as message/rfc822 attachments. Our patched version also fixes various other vulnerabilities in the official package (see ``<http://online.securityfocus.com/archive/1/275282>``)
Regards,
David. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see ``<http://quantumlab.net/pine_privacy_guard/>``
iD8DBQE9gMmHxu9pkTSrlboRAry3AJ4jE+4XurEOIqPtFt8nxRP6/xE2lQCfdAOw QZHmeIlayd8mkMeKTpE0tDU= =M+gb -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23836088 Feedback>).

F-Secure __ Not Affected

Notified: September 04, 2002 Updated: September 18, 2002

Status

Not Affected

Vendor Statement

F-Secure is not vulnerable. The F-Secure products recognize multipart messages and contain settings that enables the administrator to control the handling of such messages.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23836088 Feedback>).

Finjan Software __ Not Affected

Notified: September 10, 2002 Updated: September 13, 2002

Status

Not Affected

Vendor Statement

Finjan Software products are not vulnerable. SurfinGate for E-Mail reassembles fragmented messages, and then performs security analysis and applies content management rules. SurfinShield is installed on end users machines, gets the reassembled message from the E-Mail client, and proactively monitors the behavior of active content included or attached to the E-Mail message.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23836088 Feedback>).

Symantec __ Not Affected

Notified: September 04, 2002 Updated: September 18, 2002

Status

Not Affected

Vendor Statement

Symantec has been aware for some time of the potential malicious use of this email feature. As a result, all currently supported Symantec gateway products, by default, block multi-part MIME messages at the gateway. While this is a configurable feature of Symantec gateway products and can be enabled if multi-part email is required, the rejection of segmented messages should be a part of a company’s comprehensive security policy to restrict potentially harmful content from the internal network.

Additionally, should known malicious code be delivered to a client computer in this manner, the Symantec and Norton AntiVirus scanning products will detect it when it is reassembled and downloaded to the client computer and/or during attempted execution on the targeted computer. As always, if previously unknown malicious code is being distributed in this manner, Symantec Security Response will react and send updated virus definitions via LiveUpdate to detect the new threat.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Symantec has published this advisory.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23836088 Feedback>).

Aladdin Knowledge Systems Unknown

Notified: September 04, 2002 Updated: September 13, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23836088 Feedback>).

Cisco Systems Inc. Unknown

Updated: September 13, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23836088 Feedback>).

Computer Associates Unknown

Notified: September 04, 2002 Updated: September 13, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23836088 Feedback>).

CyberSoft Unknown

Notified: September 04, 2002 Updated: September 13, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23836088 Feedback>).

Network Associates Unknown

Notified: September 13, 2002 Updated: September 18, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23836088 Feedback>).

Sophos Unknown

Notified: September 04, 2002 Updated: September 13, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23836088 Feedback>).

Trend Micro __ Unknown

Notified: September 04, 2002 Updated: September 13, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The following response from GFI appears in the SecuriTeam advisory:

We have confirmed that our product InterScan VirusWall 3.5x for NT is affected by the vulnerability mentioned by Beyond Security Ltd. regarding fragmented e-mails. In order to resolve this problem, we have released a patch in order to address this particular concern for InterScan VirusWall for NT. The said patch can be downloaded from the following FTP server:

ftp://ftp-download.trendmicro.com.ph/Gateway/ISNT/3.52/
The said hotfix is named:

Hotfix_build1494_v352_Smtp_case6593.zip
The hotfix mentioned above contains a Readme file which should include the necessary instructions on how to apply the patch.

Our other mail gateway product, InterScan MSS v5.01 is not affected by this vulnerability provided that you apply the latest hotfixes which can be downloaded from our website at:

www.antivirus.com/download

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23836088 Feedback>).

View all 14 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.securiteam.com/securitynews/5YP0A0K8CM.html&gt;
• <http://online.securityfocus.com/bid/5696&gt;
• <http://online.securityfocus.com/archive/1/291993&gt;
• <http://www.iss.net/security_center/static/10088.php&gt;

Acknowledgements

The CERT/CC thanks Noam Rathaus of Beyond-Security SecuriTeam for reporting this vulnerability, and Menashe Eliezer of Finjan Software for information used in this document.

This document was written by Art Manion.

Other Information

CVE IDs:	CVE-2002-1121
Severity Metric:	1.80 Date Public: