SUMMARY

Researchers from the SecuriTeam at Beyond Security Ltd have identified a method to bypass SMTP scanning engines, including those in antivirus products. Because some mail clients can reassemble fragmented messages (per RFC 2046), an attacker could embed malicious code in a fragmented message that may avoid detection by some SMTP scanners in its fragmented form. When reassembled by the mail client, the malicious code may, potentially, execute on the client computer.

Risk
Low

Risk level is highly dependent on network configuration and mail client design.

Date Notified
08-08-2002

ISSUES

The SecuriTeam researchers, a branch of Beyond Security Ltd, discovered an issue that, while not new, is now being considered a potential vector for the distribution of malicious code. Under RFC 2046, Multipurpose Internet Mail Extension (MIME) Part Two, there is a little known feature called Message Fragmentation and Reassembly that provides a methodology for email applications to send large emails in smaller message segments (for example, image files).

The only well-known mail client that still lets you segment outgoing email (although not by default) is Microsoft Outlook Express. There may be others. This capability permits users with slow connection speeds or those working within size restrictions imposed by an ISP or corporate mail server to split a large email into smaller sections. When another mail client that adheres to the RFC receives them, the sections are recombined into a single email message on the client computer.

Microsoft email clients recombine incoming fragmented message segments into a single message by default. According to the SecuriTeam analysis, an attacker could hide malicious code disguised as small segments in a multi-sectioned email in such a manner that it would pass through SMTP filtering engines without being detected. When reconstituted on a client computer in its original malicious form, the code could then be used to compromise the targeted computer.

The Common Vulnerabilities and Exposures (CVE) initiative has assigned the name CAN-1121 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems

MITIGATION

Symantec Response
Symantec has been aware of the potential malicious use of this email feature. As a result, all currently supported Symantec gateway products, by default, block multi-part MIME messages at the gateway. While this is a configurable feature of Symantec gateway products and can be enabled if multi-part email is required, the rejection of segmented messages should be a part of a company's comprehensive security policy to restrict potentially harmful content from the internal network.

Additionally, should known malicious code be delivered to a client computer in this manner, the Symantec and Norton AntiVirus scanning products will detect it when it is reassembled and downloaded to the client computer and/or during attempted execution on the targeted computer. As always, if previously unknown malicious code is being distributed in this manner, Symantec Security Response will react and send updated virus definitions via LiveUpdate to detect the new threat.

Symantec takes any potential security issues such as this very seriously. Symantec recommends the following best practices as part of a normal security posture:

• Corporate users should develop a layered approach to secure against malicious code. Scanning at the gateway, the mail server, and on the client desktop provides the essential depth of protection for optimal risk mitigation.
   
• Users should keep vendor-supplied security patches and updates for all application software and operating systems current.
   
• Users should be wary of attachments and executables delivered via email and not open attachments or executables from unknown sources.
   
• Even if the sender is known, users should be wary of attachments or unknown files if the sender does not thoroughly explain the content in the body of the email. The source of the attachment is often unknown.
   
• If in doubt, users should contact the sender before opening the attachment or downloading the file. If there is still doubt, users should delete the document in question without opening it.

ACKNOWLEDGEMENTS

Symantec takes the security and proper functionality of our products very seriously. Symantec appreciates the coordination of Beyond Security Ltd's SecuriTeam in reporting and providing details of this issue as well as working with Symantec to properly address the issue. Symantec would further like to give credit to Cat computer services (P) Ltd, who initially identified this potential problem and shared the information for solution development.

Anyone with information on security issues or concerns with Symantec products should contact [email protected]