************************************************************************** Security Bulletin 9820 DISA Defense Communications System August 12, 1998 Published by: DISN Security Coordination Center (SCC@NIC.MIL) 1-(800) 365-3642 DEFENSE INFORMATION SYSTEM NETWORK SECURITY BULLETIN The DISN SECURITY BULLETIN is distributed by the DISN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DISN facilities. Back issues may be obtained via FTP from NIC.MIL [207.132.116.5] using login= "anonymous" and password="guest". The bulletin pathname is scc/sec-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/sec-9705.txt). These are also available at our WWW site, http://nic.mil. ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Computer ! ! Emergency Response Team (CERT) and is being relayed unedited ! ! via the Defense Information Systems Agency's Security ! ! Coordination Center distribution system as a means of ! ! providing DISN subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ============================================================================= -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= CERT* Advisory CA-98.10 Original issue date: August 11, 1998 Topic: Buffer Overflow in MIME-aware Mail and News Clients - ----------------------------------------------------------------------------- The CERT Coordination Center has received reports of a vulnerability in some MIME-aware mail and news clients. The CERT/CC team recommends updating any vulnerable mail or news clients according to the information provided in Appendix A. In addition, network administrators may be able to employ some risk mitigation strategies until they are able to update all the vulnerable clients. These strategies are described in Appendix B. We will update this advisory as we receive additional information. Please check our advisory files regularly for updates that relate to your site. As of the publication date of this advisory, we have not received any reports indicating this vulnerability has been successfully exploited. - ----------------------------------------------------------------------------- I. Description A vulnerability in some MIME-aware mail and news clients could allow an intruder to execute arbitrary code, crash the system, or gain administrative rights on vulnerable systems. The vulnerability has been discovered by Marko Laakso and Ari Takanen of the Secure Programming Group of the University of Oulu. It has received considerable public attention in the media and through reports published by Microsoft, Netscape, AUSCERT, CIAC, NTBugTraq, and others. The vulnerability affects a number of mail and news clients in addition to the ones which have been the subjects of those reports. II. Impact An intruder who sends a carefully crafted mail message to a vulnerable system can, under some circumstances, cause code of the intruder's choosing to be executed on the vulnerable system. Additionally, an intruder can cause a vulnerable mail program to crash unexpectedly. Depending on the operating system on which the mail client is running and the privileges of the user running the vulnerable mail client, the intruder may be able to crash the entire system. If a privileged user reads mail with a vulnerable mail user agent, an intruder can gain administrative access to the system. III. Solution A. Obtain and install a patch for this problem as described in Appendix A. B. Until you are able to install the appropriate patch, you may wish to install patches to sendmail or to use procmail filtering as described in Appendix B. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Appendix A - Vendor Information Below is a list of the vendors who have provided information for this advisory. We will update this appendix as we receive additional information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact the vendor directly. Caldera Inc. ============ Caldera is currently investigating these issues and in the process of releasing a fix. Updated RPMs will be uploaded to: ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/011 9d2a8ca516c3bbbe920a72d365780fe3 mutt-0.93.1-2.i386.rpm a20383c9c6f73aac56731ab65c9525fd mutt-0.93.1-2.src.rpm Data General Corporation ======================== DG/UX is not vulnerable to this report as it includes no native utilities with mime support. Fujitsu ======= Fujitsu's operating system, UXP/V, does not support any mail client which can handle MIME encoding/decoding. Therefore, Fujitsu UXP/V is not vulnerable. Hewlett-Packard Company ======================= The version of dtmail supplied by HP, as part of HP's CDE product, is vulnerable. Patches in process. Iris ==== Iris is aware of this problem and is investigating to determine if Lotus Notes is vulnerable. Microsoft Corporation ===================== Previously released information regarding this vulnerability is available from Microsoft at http://www.microsoft.com/security/bulletins/ms98-008.htm NCR ==== No products are affected. NetBSD Foundation ================= The NetBSD Foundation package system contains packages for mutt and pine. All users should upgrade to the latest version of these packages as soon as possible. Updated binary packages will become available on the NetBSD FTP server as soon as possible, and will be announced on the netbsd-announce@netbsd.org list. To join this list, or more information about NetBSD, please see http://www.NetBSD.ORG/ Netscape ======== Previously released information regarding this vulnerability is available from Netscape at http://www.netscape.com/products/security/resources/bugs/longfile.html OpenBSD ======= Not affected. OpenBSD does not ship any of the affected products. QUALCOMM Incorporated ===================== Eudora Pro Email, Eudora Pro CommCenter and Eudora Light not susceptible to buffer overflow security problem QUALCOMM tested its line of Eudora email software after becoming aware of the buffer overflow security problems recently found in Microsoft and Netscape email programs. QUALCOMM is pleased to announce that its Eudora email products are not susceptible to the types of attacks that can harm the computers of users of these other products. QUALCOMM tested the latest versions of Eudora Pro and Eudora CommCenter versions 4.0, 4.0.1 and 4.1 (beta), as well as Eudora Pro and Eudora Light versions 3.0 through 3.0.5 (Windows) and 3.1.3 (Mac). In all cases, Eudora does not allow any unauthorized programs to be automatically executed on a user's system by exploiting buffer overflow flaws. Internally, Eudora 4.0.1 (shipping) and 4.1 (beta) checks incoming header sizes and in particular attachment name lengths and truncates where appropriate to avoid buffer overrun. Previous versions of Eudora, specifically the Windows Eudora versions 3.0 through 3.0.5 and 4.0, long attachment names under certain conditions could cause the program to terminate prematurely, but most importantly, not in such a way as to allow unauthorized execution of code. Upgrading to Windows Eudora 4.0.1 or 4.0.2 (both shipping) or 4.1 (beta) resolves that particular issue. An unrelated security issue has recently been made public regarding the use of Java scripts and attachments in email messages received by Eudora 4.x. Full details of this issue, along with links to Eudora Pro 4.0.2 and 4.1 updaters is available at . The available Eudora Pro 4.0.2 and 4.1 updaters correct the potential security risk. The Santa Cruz Operation, Inc. (SCO) ==================================== The following SCO products are not vulnerable: - - SCO CMW+ - - SCO Open Desktop / Open Server 3.0, SCO UNIX 3.2v4 - - SCO OpenServer 5, SCO Internet FastStart - - SCO UnixWare 2.1 SCO UnixWare 7 dtmail may be vulnerable - investigation is continuing. Pending this investigation, SCO recommends that dtmail not be used on UnixWare 7; mail may be safely read using mailx or Netscape Navigator. Sun Microsystems, Inc. ====================== Sun Microsystems is working on patches for the following products: dtmail * CDE versions 1.0.1, 1.0.2 and 1.2. * Patches will be available within three weeks mailtool * Openwindows versions 3.0, 3.3, 3.4, 3.5 and 3.6. * Patches will be available within one week. University of Washington ======================== Pursuant to recent reports of vulnerability to mal-formed or malicious MIME attachments, the UW Pine Team has corrected a few cases of potential buffer overrun in the latest Pine Message System release, version 4.02, that might cause Pine to crash when inordinately long MIME-header information is encountered. It has been speculated that these problems could be exploited to allow a message sender to execute an arbitrary command on behalf of the receiving user, although with no more privilege than the receiving user. While the UW Pine Team is not aware of any specific attacks involving this bug, they have made a source patch available to address this threat. The source patch is available from: ftp://ftp.cac.washington.edu/pine/pine4.02A.patch Or via links found within the Pine Information Center at: http://www.washington.edu/pine/ The patch is intended for the Pine Mail System version 4.02 (released 21 July 1998). The file is in context-diff format, and should be understood by the "patch" utility. To update Pine 4.02 source, simply copy the patch file into the same directory as the pine4.02 source tree and type: patch -p < pine4.02A.patch The UW Pine Team strongly encourages sites running version 4.00 or greater to upgrade to the latest release, and apply the published patch. While versions prior to 4.00 are less sensitive to malicious messages, upgrading to version 4.02A (including the patch) is recommended. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Appendix B - Risk Mitigation Although the vulnerability described in this advisory affects mail user agents, it may be possible to reduce the risk by modifying mail transfer agents to detect the vulnerability before it reaches the mail user agent, or by filtering the message. Below is a list of vendors who have provided us information on strategies that can mitigate the risk. Note that these vendors are not themselves vulnerable to this problem. Sendmail, Inc. ============== Sendmail, Inc. has produced a patch for version 8.9.1 of sendmail as a service to their user base to assist system administrators in proactively defending against these problems. Sites who choose not to install the patch at this time will not increase their exposure to the problem in this case. This patch and installation instructions are available at http://www.sendmail.com/sendmail.8.9.1a.html . Note that the patch is specific to sendmail version 8.9.1 only. If you are unable to upgrade to this version, do not attempt to use the patch. John Hardin =========== John Hardin has modified his procmail Filters Kit to include filters which may be able to assist sites in defending against these problems. More information about the procmail Filters Kit is available at http://www.wolfenet.com/~jhardin/procmail-kit.html - ----------------------------------------------------------------------------- Our thanks go to Marko Laakso and Ari Takanen of the Secure Programming Group of the University of Oulu; Eric Allman and Gregory Shapiro of Sendmail, Inc; AUSCERT; DFN-CERT; John Hardin; and Gene Spafford of Purdue University for their input. - ----------------------------------------------------------------------------- NO WARRANTY - ----------- Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. - --------- If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (see http://www.first.org/team-info/). CERT/CC Contact Information - ---------------------------- Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4) and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA Using encryption We strongly urge you to encrypt sensitive information sent by email. We can support a shared DES key or PGP. Contact the CERT/CC for more information. Location of CERT PGP key ftp://ftp.cert.org/pub/CERT_PGP.key Getting security information CERT publications and other security information are available from http://www.cert.org/ ftp://ftp.cert.org/pub/ CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org In the subject line, type SUBSCRIBE your-email-address - --------------------------------------------------------------------------- Copyright 1998 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff . If you do not have FTP or web access, send mail to cert@cert.org with "copyright" in the subject line. *CERT is registered in the U.S. Patent and Trademark Office. - --------------------------------------------------------------------------- This file: ftp://ftp.cert.org/pub/cert_advisories/CA-98.10.mime_buffer_overflows http://www.cert.org/advisories/CA-98.10-mime-buffer-overflows.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision history -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNdBl9XVP+x0t4w7BAQFhcQP/TAY8dJ/ooGt6gS4i6dTBW+1bZMKI7s3O ohtj79DBfp8rFNhheyu5cGAAW3xksoo5CaeuSdQetjjjemoHo/ejFRIwWW3EWB1W Juu7awD066ApN32QbSsKf8/RVbXHDXdBP7P/klSxLxxThb3oMVCW2MOxLadF4aHr 2CYjRtNWk20= =Czyn -----END PGP SIGNATURE----- **************************************************************************** * * * The point of contact for NIPRNET security-related incidents is the * * ASSIST: * * * * E-mail address: ASSIST@ASSIST.MIL * * * * Telephone: 1-(800)-357-4231 (24 hours/day) * * * * You may also contact the Security Coordination Center (SCC) at the * * NIC: * * * * E-mail address: SCC@NIC.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * **************************************************************************** PLEASE NOTE: Some users outside of the DOD computing communities may receive DISN Security Bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an service to the DOD community. Neither the United States Government nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government. The opinions of the authors expressed herein do not necessarily state or reflect those of the United States Government, and shall not be used for advertising or product endorsement purposes.