{"vuid":"VU#836088","idnumber":"836088","name":"Multiple vendors' email content/virus scanners do not adequately check \"message/partial\" MIME entities","keywords":["RFC 2046","message fragmentation and re-assembly","Outlook Express","message/partial","MIME"],"overview":"Email anti-virus scanners and content filters from multiple vendors do not adequately check messages containing \"message/partial\" MIME entities (RFC 2046). As a result, viruses, malicious code, or other restricted content may not be detected.","clean_desc":"Section 5.2.2 of RFC 2046 defines the \"message/partial\" Multipurpose Internet Mail Extensions (MIME) type: 5.2.2. Partial Subtype The \"partial\" subtype is defined to allow large entities to be\n   delivered as several separate pieces of mail and automatically\n   reassembled by a receiving user agent. (The concept is similar to IP\n   fragmentation and reassembly in the basic Internet Protocols.) This\n   mechanism can be used when intermediate transport agents limit the\n   size of individual messages that can be sent. The media type\n   \"message/partial\" thus indicates that the body contains a fragment of\n   a larger entity. Email anti-virus scanners and content filters typically search messages for signatures or patterns that are associated with known viruses, malicious code, or restricted content. Some anti-virus scanners and content filters do not detect patterns that are fragmented across different \"message/partial\" MIME parts in multiple email messages. For example, an anti-virus scanner that would normally detect a well-known virus in an email message might fail to do so if the virus was sent s a \"message/partial\" MIME entitiy split across multiple email messages. Note that some products may corrupt messages containing \"message/partial\" MIME parts such that they cannot be automatically reassembled by mail user agents (MUAs). This behavior provides some protection at the cost of breaking the intended functionality of the \"message/partial\" MIME type. Beyond-Security SecuriTeam has released an advisory that describes this vulnerability in further detail.","impact":"Email anti-virus and content filters may not detect viruses, malicious code, or other restricted content that is sent as \"message/partial\" MIME parts in multiple email messages. Such messages may be automatically reassembled by MUAs, thus delivering the virus, malicious code, or restricted content to users.","resolution":"Apply Patch Apply a patch or upgrade from your vendor. For information about a specific vendor, check the Systems Affected section of this document or contact your vendor directly.","workarounds":"Block \"message/partial\" MIME Types If possible, configure your mail server, firewall, or other gateway technology to block messages containing \"message/partial\" MIME parts. Note that this will disable the intended functionality of this MIME type, and users will be unable to send or receive messages containing \"message/partial\" parts. Disable Message Reassembly If possible, configure your MUA to not reassemble fragmented messages automatically. This will prevent your MUA from reassembling any \"message/partial\" MIME entities, whether or not they are malicious. Use Desktop Anti-Virus Software Deploy and maintain updated desktop anti-virus software.","sysaffected":"","thanks":"The CERT/CC thanks Noam Rathaus of \nBeyond-Security SecuriTeam\n for reporting this vulnerability, and Menashe Eliezer of \nFinjan Software\n for information used in this document.","author":"This document was written by Art Manion.","public":["http://www.securiteam.com/securitynews/5YP0A0K8CM.html","http://online.securityfocus.com/bid/5696","http://online.securityfocus.com/archive/1/291993","http://www.iss.net/security_center/static/10088.php"],"cveids":["CVE-2002-1121"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2002-08-05T20:21:16Z","publicdate":"2002-09-12T00:00:00Z","datefirstpublished":"2002-09-13T07:07:44Z","dateupdated":"2002-09-18T22:14:04Z","revision":32,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"1","cam_exploitation":"0","cam_internetinfrastructure":"5","cam_population":"10","cam_impact":"4","cam_easeofexploitation":"20","cam_attackeraccessrequired":"20","cam_scorecurrent":"1.8","cam_scorecurrentwidelyknown":"7.5","cam_scorecurrentwidelyknownexploited":"13.5","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":1.8,"vulnote":null}