>Date: Tue, 11 Aug 1998 13:21:06 -0400 >From: CERT Advisory <cert-advisory@cert.org> >To: cert-advisory@coal.cert.org >Subject: CERT Advisory CA-98.10 - mime_buffer_overflows >Reply-To: cert-advisory-request@cert.org >Organization: CERT(sm) Coordination Center - +1 412-268-7090 > >-----BEGIN PGP SIGNED MESSAGE----- > >============================================================================>CERT* Advisory CA-98.10 >Original issue date: August 11, 1998 > >Topic: Buffer Overflow in MIME-aware Mail and News Clients > >------------------------------------------------------------------------------> >The CERT Coordination Center has received reports of a vulnerability in some >MIME-aware mail and news clients. > >The CERT/CC team recommends updating any vulnerable mail or news clients >according to the information provided in Appendix A. In addition, network >administrators may be able to employ some risk mitigation strategies until >they are able to update all the vulnerable clients. These strategies are >described in Appendix B. > >We will update this advisory as we receive additional information. Please >check our advisory files regularly for updates that relate to your site. > >As of the publication date of this advisory, we have not received any >reports indicating this vulnerability has been successfully exploited. > >------------------------------------------------------------------------------> >I. Description > >A vulnerability in some MIME-aware mail and news clients could allow >an intruder to execute arbitrary code, crash the system, or gain >administrative rights on vulnerable systems. The vulnerability has >been discovered by Marko Laakso and Ari Takanen of the Secure >Programming Group of the University of Oulu. It has received >considerable public attention in the media and through reports >published by Microsoft, Netscape, AUSCERT, CIAC, NTBugTraq, and >others. > >The vulnerability affects a number of mail and news clients in >addition to the ones which have been the subjects of those reports. > > >II. Impact > >An intruder who sends a carefully crafted mail message to a vulnerable >system can, under some circumstances, cause code of the intruder's >choosing to be executed on the vulnerable system. Additionally, an >intruder can cause a vulnerable mail program to crash unexpectedly. > >Depending on the operating system on which the mail client is running >and the privileges of the user running the vulnerable mail client, the >intruder may be able to crash the entire system. If a privileged user >reads mail with a vulnerable mail user agent, an intruder can gain >administrative access to the system. > > >III. Solution > > A. Obtain and install a patch for this problem as described in > Appendix A. > > > B. Until you are able to install the appropriate patch, you may wish to > install patches to sendmail or to use procmail filtering asdescribed> in Appendix B. > > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > >Appendix A - Vendor Information > >Below is a list of the vendors who have provided information for this >advisory. We will update this appendix as we receive additional information. >If you do not see your vendor's name, the CERT/CC did not hear from that >vendor. Please contact the vendor directly. > > >Caldera Inc. >===========> >Caldera is currently investigating these issues and in the process of >releasing a fix. Updated RPMs will be uploaded to: > > ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/011 > > 9d2a8ca516c3bbbe920a72d365780fe3 mutt-0.93.1-2.i386.rpm > a20383c9c6f73aac56731ab65c9525fd mutt-0.93.1-2.src.rpm > > >Data General Corporation >=======================> >DG/UX is not vulnerable to this report as it includes no native utilitieswith>mime support. > > >Fujitsu >======> >Fujitsu's operating system, UXP/V, does not support any mail client >which can handle MIME encoding/decoding. Therefore, Fujitsu UXP/V is >not vulnerable. > > >Hewlett-Packard Company >======================> >The version of dtmail supplied by HP, as part of HP's CDE product, is >vulnerable. Patches in process. > > >Iris >===> >Iris is aware of this problem and is investigating to determine if LotusNotes>is vulnerable. > > >Microsoft Corporation >====================> >Previously released information regarding this vulnerability is >available from Microsoft at > > http://www.microsoft.com/security/bulletins/ms98-008.htm > > >NCR >===> >No products are affected. > > >NetBSD Foundation >================> >The NetBSD Foundation package system contains packages for mutt and pine. All >users should upgrade to the latest version of these packages as soon as >possible. Updated binary packages will become available on the NetBSD FTP >server as soon as possible, and will be announced on the >netbsd-announce@netbsd.org list. To join this list, or more information about >NetBSD, please see http://www.NetBSD.ORG/ > > >Netscape >=======> >Previously released information regarding this vulnerability is >available from Netscape at > >http://www.netscape.com/products/security/resources/bugs/longfile.html > > >OpenBSD >======>Not affected. OpenBSD does not ship any of the affected products. > > >QUALCOMM Incorporated >====================> >Eudora Pro Email, Eudora Pro CommCenter and Eudora Light not >susceptible to buffer overflow security problem > >QUALCOMM tested its line of Eudora email software after becoming aware >of the buffer overflow security problems recently found in Microsoft >and Netscape email programs. QUALCOMM is pleased to announce that its >Eudora email products are not susceptible to the types of attacks that >can harm the computers of users of these other products. QUALCOMM >tested the latest versions of Eudora Pro and Eudora CommCenter >versions 4.0, 4.0.1 and 4.1 (beta), as well as Eudora Pro and Eudora >Light versions 3.0 through 3.0.5 (Windows) and 3.1.3 (Mac). In all >cases, Eudora does not allow any unauthorized programs to be >automatically executed on a user's system by exploiting buffer >overflow flaws. > >Internally, Eudora 4.0.1 (shipping) and 4.1 (beta) checks incoming >header sizes and in particular attachment name lengths and truncates >where appropriate to avoid buffer overrun. Previous versions of >Eudora, specifically the Windows Eudora versions 3.0 through 3.0.5 and >4.0, long attachment names under certain conditions could cause the >program to terminate prematurely, but most importantly, not in such a >way as to allow unauthorized execution of code. Upgrading to Windows >Eudora 4.0.1 or 4.0.2 (both shipping) or 4.1 (beta) resolves that >particular issue. > >An unrelated security issue has recently been made public regarding >the use of Java scripts and attachments in email messages received by >Eudora 4.x. Full details of this issue, along with links to Eudora >Pro 4.0.2 and 4.1 updaters is available at ><http://eudora.qualcomm.com/security.html>. The available Eudora Pro >4.0.2 and 4.1 updaters correct the potential security risk. > > >The Santa Cruz Operation, Inc. (SCO) >===================================> >The following SCO products are not vulnerable: > >- - SCO CMW+ >- - SCO Open Desktop / Open Server 3.0, SCO UNIX 3.2v4 >- - SCO OpenServer 5, SCO Internet FastStart >- - SCO UnixWare 2.1 > >SCO UnixWare 7 dtmail may be vulnerable - investigation is >continuing. Pending this investigation, SCO recommends that >dtmail not be used on UnixWare 7; mail may be safely read >using mailx or Netscape Navigator. > > >Sun Microsystems, Inc. >=====================> >Sun Microsystems is working on patches for the following products: > > dtmail > * CDE versions 1.0.1, 1.0.2 and 1.2. > * Patches will be available within three weeks > > mailtool > * Openwindows versions 3.0, 3.3, 3.4, 3.5 and 3.6. > * Patches will be available within one week. > > >University of Washington >=======================> >Pursuant to recent reports of vulnerability to mal-formed or malicious >MIME attachments, the UW Pine Team has corrected a few cases of >potential buffer overrun in the latest Pine Message System release, >version 4.02, that might cause Pine to crash when inordinately long >MIME-header information is encountered. > >It has been speculated that these problems could be exploited to allow >a message sender to execute an arbitrary command on behalf of the >receiving user, although with no more privilege than the receiving >user. While the UW Pine Team is not aware of any specific attacks >involving this bug, they have made a source patch available to address >this threat. > >The source patch is available from: > > ftp://ftp.cac.washington.edu/pine/pine4.02A.patch > >Or via links found within the Pine Information Center at: > > http://www.washington.edu/pine/ > >The patch is intended for the Pine Mail System version 4.02 (released >21 July 1998). The file is in context-diff format, and should be >understood by the "patch" utility. To update Pine 4.02 source, simply >copy the patch file into the same directory as the pine4.02 source >tree and type: > > patch -p < pine4.02A.patch > >The UW Pine Team strongly encourages sites running version 4.00 or >greater to upgrade to the latest release, and apply the published >patch. While versions prior to 4.00 are less sensitive to malicious >messages, upgrading to version 4.02A (including the patch) is >recommended. > > > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > >Appendix B - Risk Mitigation > >Although the vulnerability described in this advisory affects mail >user agents, it may be possible to reduce the risk by modifying mail >transfer agents to detect the vulnerability before it reaches the mail >user agent, or by filtering the message. > >Below is a list of vendors who have provided us information on >strategies that can mitigate the risk. Note that these vendors are not >themselves vulnerable to this problem. > >Sendmail, Inc. >=============> >Sendmail, Inc. has produced a patch for version 8.9.1 of sendmail >as a service to their user base to assist system administrators >in proactively defending against these problems. >Sites who choose not to install the patch at this time will >not increase their exposure to the problem in this case. > >This patch and installation instructions are available at >http://www.sendmail.com/sendmail.8.9.1a.html . > >Note that the patch is specific to sendmail version 8.9.1 only. >If you are unable to upgrade to this version, do not attempt to >use the patch. > >John Hardin >==========> >John Hardin has modified his procmail Filters Kit to include filters >which may be able to assist sites in defending against these problems. > >More information about the procmail Filters Kit is available at > >http://www.wolfenet.com/~jhardin/procmail-kit.html > > >------------------------------------------------------------------------------>Our thanks go to Marko Laakso and Ari Takanen of the Secure Programming >Group of the University of Oulu; Eric Allman and Gregory Shapiro >of Sendmail, Inc; AUSCERT; DFN-CERT; John Hardin; and Gene Spafford of >Purdue University for their input. >------------------------------------------------------------------------------> >NO WARRANTY >- ----------- > >Any material furnished by Carnegie Mellon University and the Software >Engineering Institute is furnished on an "as is" basis. Carnegie >Mellon University makes no warranties of any kind, either expressed or >implied as to any matter including, but not limited to, warranty of >fitness for a particular purpose or merchantability, exclusivity or >results obtained from use of the material. Carnegie Mellon University >does not make any warranty of any kind with respect to freedom from >patent, trademark, or copyright infringement. > >- --------- > >If you believe that your system has been compromised, contact the CERT >Coordination Center or your representative in the Forum of Incident >Response and Security Teams (see http://www.first.org/team-info/). > >CERT/CC Contact Information >- ---------------------------- >Email cert@cert.org > >Phone +1 412-268-7090 (24-hour hotline) > CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4) > and are on call for emergencies during other hours. > >Fax +1 412-268-6989 > >Postal address > CERT Coordination Center > Software Engineering Institute > Carnegie Mellon University > Pittsburgh PA 15213-3890 > USA > >Using encryption > We strongly urge you to encrypt sensitive information sent by email. Wecan> support a shared DES key or PGP. Contact the CERT/CC for more information. > Location of CERT PGP key > ftp://ftp.cert.org/pub/CERT_PGP.key > >Getting security information > CERT publications and other security information are available from > http://www.cert.org/ > ftp://ftp.cert.org/pub/ > > CERT advisories and bulletins are also posted on the USENET newsgroup > comp.security.announce > > To be added to our mailing list for advisories and bulletins, send > email to > cert-advisory-request@cert.org > In the subject line, type > SUBSCRIBE your-email-address > >- --------------------------------------------------------------------------- > >Copyright 1998 Carnegie Mellon University. Conditions for use, disclaimers, >and sponsorship information can be found in >http://www.cert.org/legal_stuff/legal_stuff.html and >ftp://ftp.cert.org/pub/legal_stuff . >If you do not have FTP or web access, send mail to cert@cert.org with >"copyright" in the subject line. > >*CERT is registered in the U.S. Patent and Trademark Office. > >- --------------------------------------------------------------------------- > >This file: > > ftp://ftp.cert.org/pub/cert_advisories/CA-98.10.mime_buffer_overflows > > http://www.cert.org/advisories/CA-98.10-mime-buffer-overflows.html > > > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >Revision history > >-----BEGIN PGP SIGNATURE----- >Version: 2.6.2 > >iQCVAwUBNdBl9XVP+x0t4w7BAQFhcQP/TAY8dJ/ooGt6gS4i6dTBW+1bZMKI7s3O >ohtj79DBfp8rFNhheyu5cGAAW3xksoo5CaeuSdQetjjjemoHo/ejFRIwWW3EWB1W >Juu7awD066ApN32QbSsKf8/RVbXHDXdBP7P/klSxLxxThb3oMVCW2MOxLadF4aHr >2CYjRtNWk20>=Czyn >-----END PGP SIGNATURE----- >