Buffer Overflows in various email clients

2001-09-20T00:00:00
ID VU:5648
Type cert
Reporter CERT
Modified 2003-04-11T22:52:00

Description

Overview

Buffer Overflows in several MIME headers affect a large number of electronic mail clients.

Description

A variety of electronic mail clients (circa 1998) are vulnerable to buffer overflow attacks in the code that processes MIME headers. See the vendor statements referenced below for details specific to each mail client.


Impact

An intruder can crash vulnerable mail clients, or use them to execute arbitrary code with the privileges of the user reading the mail.

If the operating system where the vulnerable program resides does not provide strong memory protection, an intruder who is able to crash the mail clinet may be able to crash the entire operating system.

If a user with administrative access to the system (including Windows 95/Windows 98 users, as well as Unix 'root' or NT 'administrator') an intruder can use the vulnerability to gain administrative access to the system.


Solution

Fixing the problem requires modifying each email client with an appropriate patch from the vendor.


There are several things that can be done to mitigate the risk if a patch cannot be installed.

filter at the mail transfer agent (as in sendmail)
filter in procmail
filter in a firewall product

None of these really fix the problem, but they may provide some additional protection. There are at least two downsides, however: 1) performance -- the MTA has to scan each and every message for the problem, potentially becoming a bottleneck. 2) Unless you decode the information completely, you run the risk of overlooking some aspect of the problem. Most classic filtering solutions rely on fingerprints of the problem, rather than interpreting the nature of the information that is being filtered. A common example is the difficulty firewalls face when trying to filter fragmented packets. Unless the firewall implements its own reassembly routines, it may allow inappropriate trafic to pass, or block appropriate traffic.


Vendor Information

5648

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Hewlett-Packard Company __ Affected

Updated: September 20, 2001

Status

Affected

Vendor Statement

"The version of dtmail supplied by HP, as part of HP's CDE product, is vulnerable. Patches in process"

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft Corporation __ Affected

Updated: September 20, 2001

Status

Affected

Vendor Statement

See <http://www.microsoft.com/security/bulletins/ms98-008.htm>

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mutt __ Affected

Updated: September 20, 2001

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Upgrade to 0.93.2 or later.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetBSD Affected

Updated: August 07, 1998

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems Inc. Affected

Updated: August 07, 1998

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

The SCO Group (SCO Linux) __ Affected

Updated: September 20, 2001

Status

Affected

Vendor Statement

See <ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/011>

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Eric Allman __ Not Affected

Updated: September 20, 2001

Status

Not Affected

Vendor Statement

Sendmail is not vulnerable but can be used to mitigate the risk.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu Not Affected

Updated: August 07, 1998

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NCR Not Affected

Updated: August 07, 1998

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD __ Not Affected

Updated: September 20, 2001

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

They don't ship any of the affected products

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Pegasus Mail Not Affected

Updated: August 11, 1998

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

QUALCOMM Not Affected

Updated: August 07, 1998

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Data General Unknown

Updated: August 07, 1998

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lotus Software Unknown

Notified: August 07, 1998 Updated: August 28, 2000

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

The SCO Group (SCO UnixWare) Unknown

Updated: August 07, 1998

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

View all 15 vendors View less vendors

CVSS Metrics

Group | Score | Vector
---|---|---
Base | |
Temporal | |
Environmental | |

References

  • <http://www.microsoft.com/security/bulletins/ms98-008.htm>
  • <http://www.netscape.com/products/security/resources/bugs/longfile.html>
  • <http://www.ciac.org/ciac/MIMEfaq.html>
  • <http://www.ciac.org/ciac/bulletins/i-077a.shtml>
  • <ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-98.02.Outlook.buffer.overflow>
  • <http://www.sjmercury.com/business/tech/docs/security072898.htm>

Acknowledgements

This document was written by Shawn V Hernan.

Other Information

CVE IDs: | None
---|---
CERT Advisory: | CA-1998-10
Severity Metric: | 81.00
Date Public: | 1998-07-27
Date First Published: | 2001-09-20
Date Last Updated: | 2003-04-11 22:52 UTC
Document Revision: | 7