Original issue date: August 11, 1998<BR>
Last revised: October 19, 1998<BR>
Added vendor information for Compaq Computer Corporation<BR>
<P>A complete revision history is at the end of this file.
<P>The CERT Coordination Center has received reports of a
vulnerability in some MIME-aware mail and news clients.
<P>The CERT/CC team recommends updating any vulnerable mail or news
clients according to the information provided in <A HREF="#Appendix A
- Vendor">Appendix A</A>. In addition, network administrators may be
able to employ some risk mitigation strategies until they are able to
update all the vulnerable clients. These strategies are described in
<A HREF="#Appendix B - Risk">Appendix B</A>.
<P>We will update this advisory as we receive additional
information. Please check our advisory files regularly for updates
that relate to your site.
<P>As of the publication date of this advisory, we have not received
any reports indicating this vulnerability has been successfully
exploited.
<BR>
<HR>
<H2>I. Description</H2>
<P>A vulnerability in some MIME-aware mail and news clients could
allow an intruder to execute arbitrary code, crash the system, or gain
administrative rights on vulnerable systems. The vulnerability has
been discovered by Marko Laakso and Ari Takanen of the Secure
Programming Group of the University of Oulu. It has received
considerable public attention in the media and through reports
published by
<A HREF="http://www.microsoft.com">Microsoft</A>,
<A HREF="http://www.netscape.com">Netscape</A>,
<A HREF="http://www.auscert.org.au">AUSCERT</A>,
<A HREF="http://ciac.llnl.gov">CIAC</A>,
<A HREF="http://www.ntbugtraq.com">NTBugTraq</A>,
and others.
<P>The vulnerability affects a number of mail and news clients in
addition to the ones which have been the subjects of those reports.
<H2>II. Impact</H2>
<P>An intruder who sends a carefully crafted mail message to a
vulnerable system can, under some circumstances, cause code of the
intruder's choosing to be executed on the vulnerable system.
Additionally, an intruder can cause a vulnerable mail program to crash
unexpectedly. Depending on the operating system on which the mail
client is running and the privileges of the user running the
vulnerable mail client, the intruder may be able to crash the entire
system. If a privileged user reads mail with a vulnerable mail user
agent, an intruder can gain administrative access to the system.
<H2>III. Solution</H2>
<P>A. <B>Obtain and install a patch for this problem as described in <A HREF="#Appendix A - Vendor">Appendix
A</A>.</B>
<P>B. <B>Until you are able to install the appropriate patch, you may wish
to install patches to sendmail or to use procmail filtering as described
in <A HREF="#Appendix B - Risk">Appendix B</A>.</B>
<H2><A NAME="Appendix A - Vendor"></A>Appendix A - Vendor Information</H2>
Below is a list of the vendors who have provided information for this advisory.
We will update this appendix as we receive additional information. If you
do not see your vendor's name, the CERT/CC did not hear from that vendor.
Please contact the vendor directly.
<P><B><U>Caldera Inc.</U></B>
<BR>Caldera is currently investigating these issues and in the process
of releasing a fix. Updated RPMs will be uploaded to:
<P> ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/011
<BR> 9d2a8ca516c3bbbe920a72d365780fe3
mutt-0.93.1-2.i386.rpm
<BR> a20383c9c6f73aac56731ab65c9525fd
mutt-0.93.1-2.src.rpm
<P><B><U>Compaq Computer Corporation</U></B>
<BR>
<PRE>
_______________________________________________________________________
SOURCE:
(c) Copyright 1994, 1995, 1996, 1997, 1998 Compaq Computer Corporation.
All rights reserved.
SOURCE: Compaq Computer Corporation
Compaq Services
Software Security Response Team USA
X-REF: AUSCERT AA-98.04,
CIAC I-077,
CERT CA-98.10
Subj. mime-aware mail clients
This reported problem is not present for the as shipped,
Compaq's Digital ULTRIX or Compaq's Digital UNIX
Operating Systems Software.
- Compaq Computer Corporation
</PRE>
<P><B><U>Data General Corporation</U></B>
<P>DG/UX is not vulnerable to this report as it includes no native utilities
with mime support.
<P><B><U>Fujitsu</U></B>
<P>Fujitsu's operating system, UXP/V, does not support any mail client
which can handle MIME encoding/decoding. Therefore, Fujitsu UXP/V is not
vulnerable.
<P><B><U>Hewlett-Packard Company</U></B>
<P>The version of dtmail supplied by HP, as part of HP's CDE product, is
vulnerable. Patches in process.
<P><B><U>Iris</U></B>
<P>Iris is aware of this problem and is investigating to determine if Lotus
Notes is vulnerable.
<P><B><U>Microsoft Corporation</U></B>
<P>Previously released information regarding this vulnerability is available
from Microsoft at <A HREF="http://www.microsoft.com/security/bulletins/ms98-008.htm">http://www.microsoft.com/security/bulletins/ms98-008.htm</A>
<P><B><U>Mutt</U></B>
<P>Mutt versions up to 0.93.1(i) were vulnerable to a
remotely exploitable buffer overflow. The bug has been
fixed as of mutt 0.93.2(i). A patch was distributed on
Usenet on July 29.
<P>Users of older versions should upgrade as soon as
possible.
<P> Mutt 0.93.2(i) is available from<BR>
ftp://ftp.guug.de/pub/mutt/<BR>
<P>The distribution files with their MD5 checksums:<BR>
<BR>
diff-0.93.1-0.93.2.gz 39918e8c27e1a762af77052ea1164dbb<BR>
diff-0.93.1i-0.93.2i.gz aa08b3b3ade6e733c9bb01809199e3e7<BR>
mutt-0.93.2i.tar.gz 9ce8f1020a638d07cb3772b1ebe9887d<BR>
mutt-0.93.2.tar.gz 89a0888b1d25895cdc74f0999713f52b<BR>
<BR>
SHA1 checksums:<BR>
<BR>
diff-0.93.1-0.93.2.gz 326b4dd8479717ab1bc073a1a3eaa13ef6d551df<BR>
diff-0.93.1i-0.93.2i.gz 1358d1462d76c1c41a2070bdf5eee1b60a216ee8<BR>
mutt-0.93.2i.tar.gz 2a16bd1ee9edf24222d39998e80d8adafa6d45fa<BR>
mutt-0.93.2.tar.gz 1048f600395b328783bf58dedddd9a18ad4e36d1<BR>
<P>Credits for noting this bug and giving a first fix on
bugtraq go to Paul Boehm <paul@boehm.org>.
<P><B><U>NCR</U></B>
<P>No products are affected.
<P><B><U>NetBSD Foundation</U></B>
<P>The NetBSD Foundation package system contains packages for mutt and
pine. All users should upgrade to the latest version of these packages
as soon as possible. Updated binary packages will become available on the
NetBSD FTP server as soon as possible, and will be announced on the netbsd-announce@netbsd.org
list. To join this list, or more information about NetBSD, please see <A HREF="http://www.NetBSD.ORG/">http://www.NetBSD.ORG/</A>
<P><B><U>Netscape</U></B>
<P>Previously released information regarding this vulnerability is available
from Netscape at <A HREF="http://www.netscape.com/products/security/resources/bugs/longfile.html">http://www.netscape.com/products/security/resources/bugs/longfile.html</A>
<P><B><U>OpenBSD</U></B>
<P>Not affected. OpenBSD does not ship any of the affected products.
<P><B><U>Pegasus Mail</U></B>
<P>We have conducted a strenuous examination of the equivalent code in
Pegasus Mail and can confirm that Pegasus Mail is *not* vulnerable
to this particular attack. Pegasus Mail handles attachments in a
different manner from the affected Netscape and Microsoft products,
and does proper bounds checking on filename lengths in all cases.
<P>In the course of following up on this problem, we *have* unearthed a
related problem, though: there are conceivable scenarios where
Pegasus Mail may be made to crash when it attempts to parse a
particular class of improperly-formatted MIME headers. The crash
does not result from a buffer overflow, and hence has none of the
security ramifications of the Netscape/OE problem - the crash itself
is the worst that can happen. We have corrected this particular
parser problem for the v3.01c release of Pegasus Mail, which will be
out early next week.
<P>To reiterate: Pegasus Mail is *not* vulnerable to the problem
currently being publicized.
<P>Mercury users: our Mercury Mail Transport System is not currently
required to perform MIME parsing, and is hence completely immune
to this problem.
<P><B><U>QUALCOMM Incorporated</U></B>
<P>Eudora Pro Email, Eudora Pro CommCenter and Eudora Light not susceptible
to buffer overflow security problem
<P>QUALCOMM tested its line of Eudora email software after becoming aware
of the buffer overflow security problems recently found in Microsoft and
Netscape email programs. QUALCOMM is pleased to announce that its Eudora
email products are not susceptible to the types of attacks that can harm
the computers of users of these other products. QUALCOMM tested the latest
versions of Eudora Pro and Eudora CommCenter versions 4.0, 4.0.1 and 4.1
(beta), as well as Eudora Pro and Eudora Light versions 3.0 through 3.0.5
(Windows) and 3.1.3 (Mac). In all cases, Eudora does not allow any unauthorized
programs to be automatically executed on a user's system by exploiting
buffer overflow flaws.
<P>Internally, Eudora 4.0.1 (shipping) and 4.1 (beta) checks incoming header
sizes and in particular attachment name lengths and truncates where appropriate
to avoid buffer overrun. Previous versions of Eudora, specifically the
Windows Eudora versions 3.0 through 3.0.5 and 4.0, long attachment names
under certain conditions could cause the program to terminate prematurely,
but most importantly, not in such a way as to allow unauthorized execution
of code. Upgrading to Windows Eudora 4.0.1 or 4.0.2 (both shipping) or
4.1 (beta) resolves that particular issue.
<P>An unrelated security issue has recently been made public regarding
the use of Java scripts and attachments in email messages received by Eudora
4.x. Full details of this issue, along with links to Eudora Pro 4.0.2 and
4.1 updaters is available at <A HREF="http://eudora.qualcomm.com/security.html">http://eudora.qualcomm.com/security.html</A>.
The available Eudora Pro 4.0.2 and 4.1 updaters correct the potential security
risk.
<P><B><U>The Santa Cruz Operation, Inc. (SCO)</U></B>
<P>The following SCO products are not vulnerable:
<BR> - - SCO CMW+
<BR> - - SCO Open Desktop / Open Server 3.0, SCO UNIX
3.2v4
<BR> - - SCO OpenServer 5, SCO Internet FastStart
<BR> - - SCO UnixWare 2.1
<P>SCO UnixWare 7 dtmail may be vulnerable - investigation is continuing.
Pending this investigation, SCO recommends that dtmail not be used on UnixWare
7; mail may be safely read using mailx or Netscape Navigator.
<P><B><U>Sun Microsystems, Inc.</U></B>
<P>Please refer to Sun Microsystems, Inc. Security Bulletin, "mailtool",
Number: 00175, distributed September 9, 1998 for additional information
relating to this vulnerability.<BR>
<BR>
Patches and Checksums are available to all Sun customers via World Wide Web at:
<P>
<A HREF="http://sunsolve.sun.com/sunsolve/pubpatches/patches.html">http://sunsolve.sun.com/sunsolve/pubpatches/patches.html</A>
<P>Sun security bulletins are available via World Wide Web at:
<P> <A HREF="http://sunsolve.sun.com/pub-cgi/secbul.pl">http://sunsolve.sun.com/pub-cgi/secbul.pl</A>
<P><B><U>University of Washington</U></B>
<P>Pursuant to recent reports of vulnerability to mal-formed or malicious
MIME attachments, the UW Pine Team has corrected a few cases of potential
buffer overrun in the latest Pine Message System release, version 4.02,
that might cause Pine to crash when inordinately long MIME-header information
is encountered.
<P>It has been speculated that these problems could be exploited to allow
a message sender to execute an arbitrary command on behalf of the receiving
user, although with no more privilege than the receiving user. While the
UW Pine Team is not aware of any specific attacks involving this bug, they
have made a source patch available to address this threat.
<P>The source patch is available from:
<P> <A HREF="ftp://ftp.cac.washington.edu/pine/pine4.02A.patch">ftp://ftp.cac.washington.edu/pine/pine4.02A.patch</A>
<P>Or via links found within the Pine Information Center at:
<P> <A HREF="http://www.washington.edu/pine/">http://www.washington.edu/pine/</A>
<P>The patch is intended for the Pine Mail System version 4.02 (released
21 July 1998). The file is in context-diff format, and should be understood
by the "patch" utility. To update Pine 4.02 source, simply copy the patch
file into the same directory as the pine4.02 source tree and type:
<P> patch -p < pine4.02A.patch
<P>The UW Pine Team strongly encourages sites running version 4.00 or greater
to upgrade to the latest release, and apply the published patch. While
versions prior to 4.00 are less sensitive to malicious messages, upgrading
to version 4.02A (including the patch) is recommended.
<BR>
<H2><A NAME="Appendix B - Risk"></A>Appendix B - Risk Mitigation <HR></H2>
Although the vulnerability described in this advisory affects mail user
agents, it may be possible to reduce the risk by modifying mail transfer
agents to detect the vulnerability before it reaches the mail user agent,
or by filtering the message. Below is a list of vendors who have provided
us information on strategies that can mitigate the risk. Note that these
vendors are not themselves vulnerable to this problem.
<P><B><U>Sendmail, Inc.</U></B>
<P>Sendmail, Inc. has produced a patch for version 8.9.1 of sendmail as
a service to their user base to assist system administrators in proactively
defending against these problems. Sites who choose not to install the patch
at this time will not increase their exposure to the problem in this case.
This patch and installation instructions are available at
<BR>
<BR> <A HREF="http://www.sendmail.com/sendmail.8.9.1a.html">http://www.sendmail.com/sendmail.8.9.1a.html</A>.
<P>Note that the patch is specific to sendmail version 8.9.1 only. If you
are unable to upgrade to this version, do not attempt to use the patch.
<P><B><U>John Hardin</U></B>
<P>John Hardin has modified his procmail Filters Kit to include filters
which may be able to assist sites in defending against these problems.
More information about the procmail Filters Kit is available at
<P> <A HREF="http://www.wolfenet.com/~jhardin/procmail-security.html">http://www.wolfenet.com/~jhardin/procmail-security.html</A>
<BR>
<HR>
<BR>Our thanks go to Marko Laakso and Ari Takanen of the Secure Programming
Group of the University of Oulu; Eric Allman and Gregory Shapiro of Sendmail,
Inc; AUSCERT; DFN-CERT; John Hardin; and Gene Spafford of Purdue University
for their input.
<P><B><U>NO WARRANTY</U></B>
<BR>Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie Mellon
University makes no warranties of any kind, either expressed or implied
as to any matter including, but not limited to, warranty of fitness for
a particular purpose or merchantability, exclusivity or results obtained
from use of the material. Carnegie Mellon University does not make any
warranty of any kind with respect to freedom from patent, trademark, or
copyright infringement.
<BR>
<p><!--#include virtual="/include/footer_nocopyright.html" --> </p>
<p>Copyright 1998 Carnegie Mellon University.</p>
<HR>
Revision History
<PRE>
Oct. 19, 1998 Added vendor information for Compaq Computer Corporation
Sept. 18, 1998 Added vendor information for Sun Microsystems, Inc.
Aug. 12, 1998 Added vendor information, see Appendix A
Updated risk mitigation information, see Appendix B
Aug. 11, 1998 Updated vendor information for Pegasus Mail
</PRE>
|