Fragmented MIME messages bypass SMTP scanners
Risk level is highly dependent on network configuration and mail client design.
Researchers from the SecuriTeam at Beyond Security Ltd have identified a method to bypass SMTP scanning engines, including those in antivirus products. Because some mail clients can reassemble fragmented messages (per RFC 2046), an attacker could embed malicious code in a fragmented message that may avoid detection by some SMTP scanners in its fragmented form. When reassembled by the mail client, the malicious code may, potentially, execute on the client computer.
The SecuriTeam researchers, a branch of Beyond Security Ltd, discovered an issue that, while not new, is now being considered a potential vector for the distribution of malicious code. Under RFC 2046, Multipurpose Internet Mail Extension (MIME) Part Two, there is a little known feature called Message Fragmentation and Reassembly that provides a methodology for email applications to send large emails in smaller message segments (for example, image files).
The only well-known mail client that still lets you segment outgoing email (although not by default) is Microsoft Outlook Express. There may be others. This capability permits users with slow connection speeds or those working within size restrictions imposed by an ISP or corporate mail server to split a large email into smaller sections. When another mail client that adheres to the RFC receives them, the sections are recombined into a single email message on the client computer.
Microsoft email clients recombine incoming fragmented message segments into a single message by default. According to the SecuriTeam analysis, an attacker could hide malicious code disguised as small segments in a multi-sectioned email in such a manner that it would pass through SMTP filtering engines without being detected. When reconstituted on a client computer in its original malicious form, the code could then be used to compromise the targeted computer.
Symantec has been aware of the potential malicious use of this email feature. As a result, all currently supported Symantec gateway products, by default, block multi-part MIME messages at the gateway. While this is a configurable feature of Symantec gateway products and can be enabled if multi-part email is required, the rejection of segmented messages should be a part of a company's comprehensive security policy to restrict potentially harmful content from the internal network.
Additionally, should known malicious code be delivered to a client computer in this manner, the Symantec and Norton AntiVirus scanning products will detect it when it is reassembled and downloaded to the client computer and/or during attempted execution on the targeted computer. As always, if previously unknown malicious code is being distributed in this manner, Symantec Security Response will react and send updated virus definitions via LiveUpdate to detect the new threat.
Symantec takes any potential security issues such as this very seriously. Symantec recommends the following best practices as part of a normal security posture:
- Corporate users should develop a layered approach to secure against malicious code. Scanning at the gateway, the mail server, and on the client desktop provides the essential depth of protection for optimal risk mitigation.
- Users should keep vendor-supplied security patches and updates for all application software and operating systems current.
- Users should be wary of attachments and executables delivered via email and not open attachments or executables from unknown sources.
- Even if the sender is known, users should be wary of attachments or unknown files if the sender does not thoroughly explain the content in the body of the email. The source of the attachment is often unknown.
- If in doubt, users should contact the sender before opening the attachment or downloading the file. If there is still doubt, users should delete the document in question without opening it.
Symantec takes the security and proper functionality of our products very seriously. Symantec appreciates the coordination of Beyond Security Ltd's SecuriTeam in reporting and providing details of this issue as well as working with Symantec to properly address the issue.
Symantec would further like to give credit to Cat computer services (P) Ltd, who initially identified this potential problem and shared the information for solution development.
Anyone with information on security issues or concerns with Symantec products should contact firstname.lastname@example.org
The Common Vulnerabilities and Exposures (CVE) initiative has assigned the name CAN-1121 to this issue.
This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.
Symantec takes the security and proper functionality of our products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec supports and follows the principles of responsible disclosure. Symantec also subscribes to the vulnerability disclosure guidelines outlined by the National Infrastructure Advisory Council (NIAC).
Please contact email@example.com if you feel you have discovered a security issue in a Symantec product. A Symantec Product Security team member will contact you regarding your submission. Symantec strongly recommends using encrypted email for reporting vulnerability information to firstname.lastname@example.org. The Symantec Product Security PGP key can be found at the end of this message.
Symantec has developed a Product Vulnerability Response document outlining the process we follow in addressing suspected vulnerabilities in our products. This document is available below.
Copyright © by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from email@example.com.
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and firstname.lastname@example.org are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.