Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2003.0760 -- UNIRAS Brief - 603/03 NISCC Vulnerability Advisory - 006489/SMIME 05 November 2003 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: S/MIME Publisher: UNIRAS (UK Govt. CERT) Impact: Denial of Service Execute Arbitrary Code/Commands Access Required: Remote - --------------------------BEGIN INCLUDED TEXT-------------------- Title ===== NISCC Vulnerability Advisory - 006489/SMIME Vulnerability Issues in Implementations of the S/MIME Protocol Version Information - ------------------- Advisory Reference 006489/SMIME Release DatE 4 November 2003 Last Revision 4 November 2003 Version Number1.0 What is affected? - ----------------- The vulnerabilities described in this advisory affect the S/MIME protocol, which is typically used to provide security services to e-mail applications. Many vendors include support for S/MIME in their products. Severity - -------- The severity of these vulnerabilities varies by vendor. In some cases, they could allow an attacker to create a denial-of-service condition. There are indications that it may be possible to execute code as a result of a buffer overflow, but this has not been demonstrated. Summary - ------- During 2002 the University of Oulu Security Programming Group (OUSPG) discovered a number of implementation specific vulnerabilities in the Simple Network Management Protocol (SNMP). NISCC has performed and commissioned further work to identify implementation specific vulnerabilities in related protocols that are critical to the UK Critical National Infrastructure. The S/MIME (secure multipurpose Internet mail extensions), which provides services such as digital signatures and encryption to e-mail, has been studied in this context. NISCC has produced a test suite for S/MIME and has employed it to validate a number of products from different vendors. The test results have been confirmed, and the affected vendors have been contacted with the test results. These vendors' product lines cover a great deal of the existing critical information infrastructure worldwide and have therefore been addressed as a priority. However, NISCC has subsequently contacted other vendors whose products employ S/MIME and provided them with tools with which to test their implementations. Details - ------- S/MIME is a set of protocols intended to provide security services, such as digital signatures and encryption, to e-mail. MIME (multipurpose Internet mail extensions) allows binary objects and attachments to be sent across an e-mail system; S/MIME specifies a mechanism by which MIME attachments may be exchanged in a consistent and secure fashion. (Although principally used to provide secure e-mail, S/MIME objects may, in theory, be passed by mechanisms other than e-mail. Such mechanisms are beyond the scope of this advisory.) S/MIME extends MIME by including the secure data in an attachment encoded using ASN.1 (Abstract Syntax Notation One). If one of the entities in an e-mail system knowingly or unknowingly send an exceptional ASN.1 element that cannot be handled properly by another party, the behaviour of the application receiving such an element is unpredictable. A denial-of-service may result, or there may be an opportunity for further exploitation. Both client and server software may be affected in this way. Vendor specific information will be released as it becomes available, but information will only be released with vendors' permission. Subscribers are advised to check the following URL regularly for updates: http://www.uniras.gov.uk/vuls/2003/006489/smime.htm [Please note that revisions to this advisory will not be notified by e-mail.] Solution - -------- Please refer to the Vendor Information section of this advisory for platform specific remediation. Vendor Information - ------------------ A list of vendors affected by this vulnerability is not currently available. Please visit the web site, http://www.uniras.gov.uk/vuls/2003/006489/smime.htm, in order to check for updates. Contact Information - ------------------- The NISCC Vulnerability Management Team can be contacted as follows: E-mail firstname.lastname@example.org Please quote the advisory reference in the subject line. Telephone +44 (0) 20 7821 1330 Ext 4511 Monday - Friday 08:30 - 17:00 hrs Fax +44 (0) 20 7821 1686 Post Vulnerability Management Team NISCC PO Box 832 London SW1P 1BG We encourage those who wish to communicate via e-mail to make use of our PGP key. This is available from http://www.uniras.gov.uk/UNIRAS.asc Please note that UK government protectively marked material should not be sent to the e-mail address above. If you wish to be added to our e-mail distribution list please e-mail your request to email@example.com. What is NISCC? - -------------- For further information regarding the UK National Infrastructure Security Co-ordination Centre, please visit http://www.niscc.gov.uk/aboutniscc/index.htm Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by NISCC. The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. Neither shall NISCC accept responsibility for any errors or omissions contained within this briefing notice. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this notice. (C) 2003 Crown Copyright - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to firstname.lastname@example.org and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 Internet Email: email@example.com Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBP6hVCih9+71yA2DNAQHbXQP/YkMXBTiWCeC7XoWwl8TcM6z5idSoXLsp jHlEurvMJBSXgnYzQ9OBqvd8tnVhEEqnW+/ogPDOSwtSNEjRMySx2+kVkAejEKUS Eg7V5OeEHGQzOvOvQcu249KvxcfoU03nA8qui6s5ICIuOnMGLOFbdQJ1ur8xOWn5 xDLkkay9Gmg= =2PNN -----END PGP SIGNATURE-----