Multiple vendor SMTP content filtering can be bypassed using message fragmentation and reassembly
|smtp-content-filtering-bypass (10088)||High Risk|
Multiple vendor's SMTP content filtering engines could allow a remote attacker to bypass content filtering and deliver Viruses, Trojans, or other malicious file types to a vulnerable mail client. This is caused by a vulnerability regarding improper handling of messages that have been sent using the "Message Fragmentation and Re-assembly" option. Message Fragmentation and Reassembly is a technique used for sending large email messages as a series of smaller messages that are re-assembled upon reaching the recipient. An attacker could exploit this vulnerability to deliver malicious mail messages by using the "Message Fragmentation and Re-assembly" option in Microsoft Outlook Express or Microsoft Outlook 2000.
For GFI MailSecurity for Exchange/SMTP:
Upgrade to the latest version of GFI MailSecurity for Exchange/SMTP, available from the GFI Software Web site. See References.
For Trend Micro InterScan VirusWall 3.5.x for NT:
Apply Hotfix_build1494_v352_Smtp_case6593.zip, available from the Trend Micro FTP site. See References.
Upgrade to the latest version of MIMEDefang (2.21 or later), available from the Roaring Penguin Software Web site. See References.
Upgrade to the latest version of CanIt (1.2-F17 or later), available from the CanIt Web site. See References.
Upgrade to the patched version of MIME-Tools 5.411a, available from the following location: http://www.roaringpenguin.com/mimedefang/MIME-tools-5.411a-RP-Patched.tar.gz.
For other distributions:
Contact your vendor for upgrade or patch information.
- BugTraq Mailing List, Thu Sep 12 2002 - 10:11:07 CDT: MIMEDefang update (was Re: Bypassing SMTP Content Protection ).
- BugTraq Mailing List, Thu Sep 12 2002 - 12:06:06 CDT: Roaring Penguin fixes for "Bypassing SMTP Content Protection with a Flick of a Button".
- BugTraq Mailing List, Thu Sep 12 2002 - 13:13:02 CDT: FW: Bypassing SMTP Content Protection with a Flick of a Button.
- CanIt Web site: Welcome to CanIt.
- GFI Software Web site: Anti Virus for Exchange server.
- Roaring Penguin Software Web site: MIMEDefang.
- SecuriTeam Mailing List, SecurityNews 12 Sep 2002: Bypassing SMTP Content Protection with a Flick of a Button.
- BID-5696: Multiple Vendor Email Message Fragmentation SMTP Filter Bypass Vulnerability
- CVE-2002-1121: SMTP content filter engines, including (1) GFI MailSecurity for Exchange/SMTP before 7.2, (2) InterScan VirusWall before 3.52 build 1494, (3) the default configuration of MIMEDefang before 2.21, and possibly other products, do not detect fragmented emails as defined in RFC2046 (Message Fragmentation and Reassembly) and supported in such products as Outlook Express, which allows remote attackers to bypass content filtering, including virus checking, via fragmented emails of the message/partial content type.
- OSVDB ID: 6188: Multiple Vendor Fragmented Email Virus Scan Bypass
- US-CERT VU#836088: Multiple vendors` email content/virus scanners do not adequately check message/partial MIME entities
- GFI GFI MailSecurity for Exchange 7.2
- GFI GFI MailSecurity for SMTP 7.2
- Roaring Penguin CanIt prior to 1.2-F17
- Roaring Penguin MIMEDefang prior to 2.21
- Trend Micro InterScan VirusWall 3.5.x for NT
- zeegee software MIME-Tools 5.411a
Sep 12, 2002
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this