AUSCERT External Security Bulletin Redistribution

                  ESB-2003.0762 -- UNIRAS Brief - 604/03
                 NISCC Vulnerability Advisory 006489/X400
                             05 November 2003


        AusCERT Security Bulletin Summary

Product:                X.400 Protocol
Publisher:              UNIRAS (UK Govt CERT)
Impact:                 Denial of Service
                        Execute Arbitrary Code/Commands
Access Required:        Remote

- --------------------------BEGIN INCLUDED TEXT--------------------


NISCC Vulnerability Advisory 006489/X400

Vulnerability Issues in Implementations of the X.400 Protocol

Version Information
- - -------------------
Advisory Reference  006489/X400
Release Date        04 November 2003
Last Revision       03 November 2003
Version Number      1

What is affected?
- - -----------------
The vulnerabilities described in this advisory affect the messaging
protocol X.400.  Many vendors include support for this protocol in their
products and may be impacted to varying degrees, if at all.  The web page
detailing this vulnerability includes any vendor specific information that
is available to us.

Please see http://www.uniras.gov.uk/vuls/2003/006489/x400.htm for further

- - --------
The severity of these vulnerabilities varies by vendor.  Please see the
vendor section below for further information.  Alternatively contact your
vendor for product specific information.

If exploited, these vulnerabilities could allow an attacker to create a
Denial of Service condition. There are indications that it may also be
possible for an attacker to execute code as a result of a buffer overflow.

- - -------
During 2002 the University of Oulu Security Programming Group (OUSPG)
discovered a number of implementation specific vulnerabilities in the
Simple Network Management Protocol (SNMP).  Subsequent to this discovery,
NISCC has performed and commissioned further work on identifying
implementation specific vulnerabilities in related protocols that are
critical to the UK Critical National Infrastructure.  One of these
protocols is X.400.

NISCC has produced a set of test cases for X.400 and employed them in tests
against equipment supporting X.400.  Vendors of X.400 products have been
contacted and supplied with the test cases for use against their own
products.  These vendors' product lines cover a great deal of the existing
critical information infrastructure worldwide and have therefore been
addressed as a priority.  However, NISCC has subsequently contacted other
vendors whose products employ X.400 and provided them with the test cases.

All users of messaging products that utilise the X.400 protocol are
recommended to take note of this advisory and carry out any remedial
actions suggested by their vendor(s).

This advisory can be viewed on-line at:

[Please note that revisions to this advisory will not be routinely notified
by email.  All subscribers are advised to regularly check the URL above for
updates to this notice.]

- - -------
X.400 is an international standard protocol, published by the International
Telecommunications Union, that supports messaging applications.  As such it
is often found on corporate email/messaging servers and some email security

Messages are exchanged utilising Basic Encoding Rules (BER) encoded ASN.1
data structures.  By crafting messages that do not correctly conform to the
X.400 ASN.1 definitions it may be possible to cause a receiving X.400 system
to behave in an anomalous way.  This could result in a Denial of Service
condition or potentially allow the execution of code embedded within the
crafted message.

Further detail will be released as it becomes available.

- - --------
Please refer to the vendor information for platform specific remediation.

Vendor Information
- - ------------------
A list of vendors affected by this vulnerability is not currently
available. Please visit this web page regularly in order to check for

Contact Information
- - -------------------
The NISCC Vulnerability Management Team can be contacted as follows:

Email      vulteam@niscc.gov.uk
           Please quote the advisory reference in the subject line

Telephone  +44 (0) 20 7821 1330 Ext 4511
           Monday - Friday 08:30 - 17:00 hrs

Fax        +44 (0) 20 7821 1686

Post       Vulnerability Management Team
           PO Box 832
           SW1P 1BG

We encourage those who wish to communicate via email to make use of our PGP
key.  This is available from http://www.uniras.gov.uk/UNIRAS.asc

Please note that UK government protectively marked material should not be
sent to the email address above.

If you wish to be added to our email distribution list please email your
request to uniras@niscc.gov.uk.

What is NISCC?
- - --------------
For further information regarding the UK National Infrastructure Security
Co-ordination Centre, please visit:

Reference to any specific commercial product, process, or service by trade
name, trademark manufacturer, or otherwise, does not constitute or imply
its endorsement, recommendation, or favouring by NISCC. The views and
opinions of authors expressed within this notice shall not be used for
advertising or product endorsement purposes.

Neither shall NISCC accept responsibility for any errors or omissions
contained within this briefing notice. In particular, they shall not be
liable for any loss or damage whatsoever, arising from or in connection
with the usage of information contained within this notice.

© 2003 Crown Copyright

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:


Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business 
                hours which are GMT+10:00 (AEST).  On call after hours 
                for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967