CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
84.6%
Email anti-virus scanners and content filters from multiple vendors do not adequately check messages containing “message/partial” MIME entities (RFC 2046). As a result, viruses, malicious code, or other restricted content may not be detected.
Section 5.2.2 of RFC 2046 defines the “message/partial” Multipurpose Internet Mail Extensions (MIME) type:
5.2.2. Partial Subtype
The "partial" subtype is defined to allow large entities to be
delivered as several separate pieces of mail and automatically
reassembled by a receiving user agent. (The concept is similar to IP
fragmentation and reassembly in the basic Internet Protocols.) This
mechanism can be used when intermediate transport agents limit the
size of individual messages that can be sent. The media type
"message/partial" thus indicates that the body contains a fragment of
a larger entity.
Email anti-virus scanners and content filters typically search messages for signatures or patterns that are associated with known viruses, malicious code, or restricted content. Some anti-virus scanners and content filters do not detect patterns that are fragmented across different “message/partial” MIME parts in multiple email messages. For example, an anti-virus scanner that would normally detect a well-known virus in an email message might fail to do so if the virus was sent s a “message/partial” MIME entitiy split across multiple email messages.
Note that some products may corrupt messages containing “message/partial” MIME parts such that they cannot be automatically reassembled by mail user agents (MUAs). This behavior provides some protection at the cost of breaking the intended functionality of the “message/partial” MIME type.
Beyond-Security SecuriTeam has released an advisory that describes this vulnerability in further detail.
Email anti-virus and content filters may not detect viruses, malicious code, or other restricted content that is sent as “message/partial” MIME parts in multiple email messages. Such messages may be automatically reassembled by MUAs, thus delivering the virus, malicious code, or restricted content to users.
Apply Patch
Apply a patch or upgrade from your vendor. For information about a specific vendor, check the Systems Affected section of this document or contact your vendor directly.
Block “message/partial” MIME Types
If possible, configure your mail server, firewall, or other gateway technology to block messages containing “message/partial” MIME parts. Note that this will disable the intended functionality of this MIME type, and users will be unable to send or receive messages containing “message/partial” parts.
Disable Message Reassembly
If possible, configure your MUA to not reassemble fragmented messages automatically. This will prevent your MUA from reassembling any “message/partial” MIME entities, whether or not they are malicious.
Use Desktop Anti-Virus Software
Deploy and maintain updated desktop anti-virus software.
836088
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: September 13, 2002 Updated: September 18, 2002
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The following response from Check Point appears in the SecuriTeam advisory:
Neither the latest 4.1 nor the latest NG versions of FW-1 are vulnerable to this problem. A few details follow:
1. FW-1 does not directly analyze the body of attachments. In that respect, the vulnerability is not applicable to FW-1.
_2. FW-1 has the capability to easily filter these types of messages, by specifying “message/partial” in the “Strip MIME of type:” section of the resource definition. _
3. FW-1 does serve as a platform for third party vendors to check attachments for viruses via the “CVP” OPSEC mechanism. When defining a CVP server, a message box is presented to the administrator (when approving the resource) that says:
_“When CVP server is used it is recommended to strip MIME of type ‘message/partial’. Do you want to add ‘message/partial’?” _
Pressing “Yes” will automatically add ‘message/partial’ to the appropriate place in the resource definition.
We therefore believe is safe to say that not only are we not vulnerable to this problem ourselves, we also protect 3rd party opsec partners from falling for this pitfall.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23836088 Feedback>).
Notified: September 04, 2002 Updated: September 18, 2002
Affected
Internal evaluation has revealed that Command AntiVirus™ for Microsoft Exchange is vulnerable. Command is working on possible solution.
Additionally, should known malicious code be delievered to a client in this manner, the Command AntiVirus will detect it when the message is reassembled to the client computer.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23836088 Feedback>).
Notified: September 13, 2002 Updated: September 18, 2002
Affected
GFI MailSecurity for Exchange/SMTP 7.2 has been updated to detect this exploit as “fragmented message” through its email exploit detection engine and quarantines it at server level.
We also have released an advisory:
<http://www.gfi.com/news/en/GFISEC16092002.htm>
As well as an online test:
<http://www.gfi.com/emailsecuritytest/>
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23836088 Feedback>).
Updated: September 18, 2002
Affected
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello,
We at Roaring Penguin Software Inc. have updated our products to deal with the vulnerability at ``<http://online.securityfocus.com/archive/1/291514>``
MIMEDefang: We have released version 2.21 of MIMEDefang at ``<http://www.roaringpenguin.com/mimedefang/>`` The default filter blocks message/partial types.
CanIt: We have released version 1.2-F17 of our commercial CanIt anti-spam solution. This release is based on MIMEDefang 2.21.
MIME-Tools: We have updated our patched version of MIME-Tools at ``<http://www.roaringpenguin.com/mimedefang/MIME-tools-5.411a-RP-Patched.tar.gz>`` MIME-Tools is a Perl module for parsing MIME messages. The patched version now can descend into message/partial as well as message/rfc822 attachments. Our patched version also fixes various other vulnerabilities in the official package (see ``<http://online.securityfocus.com/archive/1/275282>``)
Regards,
David. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see ``<http://quantumlab.net/pine_privacy_guard/>``
iD8DBQE9gMmHxu9pkTSrlboRAry3AJ4jE+4XurEOIqPtFt8nxRP6/xE2lQCfdAOw QZHmeIlayd8mkMeKTpE0tDU= =M+gb -----END PGP SIGNATURE-----
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23836088 Feedback>).
Notified: September 04, 2002 Updated: September 18, 2002
Not Affected
F-Secure is not vulnerable. The F-Secure products recognize multipart messages and contain settings that enables the administrator to control the handling of such messages.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23836088 Feedback>).
Notified: September 10, 2002 Updated: September 13, 2002
Not Affected
Finjan Software products are not vulnerable. SurfinGate for E-Mail reassembles fragmented messages, and then performs security analysis and applies content management rules. SurfinShield is installed on end users machines, gets the reassembled message from the E-Mail client, and proactively monitors the behavior of active content included or attached to the E-Mail message.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23836088 Feedback>).
Notified: September 04, 2002 Updated: September 18, 2002
Not Affected
Symantec has been aware for some time of the potential malicious use of this email feature. As a result, all currently supported Symantec gateway products, by default, block multi-part MIME messages at the gateway. While this is a configurable feature of Symantec gateway products and can be enabled if multi-part email is required, the rejection of segmented messages should be a part of a company’s comprehensive security policy to restrict potentially harmful content from the internal network.
Additionally, should known malicious code be delivered to a client computer in this manner, the Symantec and Norton AntiVirus scanning products will detect it when it is reassembled and downloaded to the client computer and/or during attempted execution on the targeted computer. As always, if previously unknown malicious code is being distributed in this manner, Symantec Security Response will react and send updated virus definitions via LiveUpdate to detect the new threat.
The vendor has not provided us with any further information regarding this vulnerability.
Symantec has published this advisory.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23836088 Feedback>).
Notified: September 04, 2002 Updated: September 13, 2002
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23836088 Feedback>).
Updated: September 13, 2002
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23836088 Feedback>).
Notified: September 04, 2002 Updated: September 13, 2002
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23836088 Feedback>).
Notified: September 04, 2002 Updated: September 13, 2002
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23836088 Feedback>).
Notified: September 13, 2002 Updated: September 18, 2002
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23836088 Feedback>).
Notified: September 04, 2002 Updated: September 13, 2002
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23836088 Feedback>).
Notified: September 04, 2002 Updated: September 13, 2002
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The following response from GFI appears in the SecuriTeam advisory:
We have confirmed that our product InterScan VirusWall 3.5x for NT is affected by the vulnerability mentioned by Beyond Security Ltd. regarding fragmented e-mails. In order to resolve this problem, we have released a patch in order to address this particular concern for InterScan VirusWall for NT. The said patch can be downloaded from the following FTP server:
ftp://ftp-download.trendmicro.com.ph/Gateway/ISNT/3.52/
The said hotfix is named:
Hotfix_build1494_v352_Smtp_case6593.zip
The hotfix mentioned above contains a Readme file which should include the necessary instructions on how to apply the patch.
Our other mail gateway product, InterScan MSS v5.01 is not affected by this vulnerability provided that you apply the latest hotfixes which can be downloaded from our website at:
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23836088 Feedback>).
View all 14 vendors __View less vendors __
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
The CERT/CC thanks Noam Rathaus of Beyond-Security SecuriTeam for reporting this vulnerability, and Menashe Eliezer of Finjan Software for information used in this document.
This document was written by Art Manion.
CVE IDs: | CVE-2002-1121 |
---|---|
Severity Metric: | 1.80 Date Public: |