Multiple vendor SMTP content filtering can be bypassed using message fragmentation and reassembly

smtp-content-filtering-bypass (10088) The risk level is classified as HighHigh Risk

Description:

Multiple vendor's SMTP content filtering engines could allow a remote attacker to bypass content filtering and deliver Viruses, Trojans, or other malicious file types to a vulnerable mail client. This is caused by a vulnerability regarding improper handling of messages that have been sent using the "Message Fragmentation and Re-assembly" option. Message Fragmentation and Reassembly is a technique used for sending large email messages as a series of smaller messages that are re-assembled upon reaching the recipient. An attacker could exploit this vulnerability to deliver malicious mail messages by using the "Message Fragmentation and Re-assembly" option in Microsoft Outlook Express or Microsoft Outlook 2000.


Consequences:

Bypass Security

Remedy:

For GFI MailSecurity for Exchange/SMTP:
Upgrade to the latest version of GFI MailSecurity for Exchange/SMTP, available from the GFI Software Web site. See References.

For Trend Micro InterScan VirusWall 3.5.x for NT:
Apply Hotfix_build1494_v352_Smtp_case6593.zip, available from the Trend Micro FTP site. See References.

For MIMEDefang:
Upgrade to the latest version of MIMEDefang (2.21 or later), available from the Roaring Penguin Software Web site. See References.

For CanIt:
Upgrade to the latest version of CanIt (1.2-F17 or later), available from the CanIt Web site. See References.

For MIME-Tools:
Upgrade to the patched version of MIME-Tools 5.411a, available from the following location: http://www.roaringpenguin.com/mimedefang/MIME-tools-5.411a-RP-Patched.tar.gz.

For other distributions:
Contact your vendor for upgrade or patch information.

References:

Platforms Affected:

  • GFI GFI MailSecurity for Exchange 7.2
  • GFI GFI MailSecurity for SMTP 7.2
  • Roaring Penguin CanIt prior to 1.2-F17
  • Roaring Penguin MIMEDefang prior to 2.21
  • Trend Micro InterScan VirusWall 3.5.x for NT
  • zeegee software MIME-Tools 5.411a

Reported:

Sep 12, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page