[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 603/03 - NISCC Vulnerability Advisory - 006489/SMIME

To: <uniras@xxxxxxxxxxxx>
Subject: UNIRAS Brief - 603/03 - NISCC Vulnerability Advisory - 006489/SMIME
From: "UNIRAS \(UK Govt CERT\)" <uniras@xxxxxxxxxxxx>
Date: Tue, 4 Nov 2003 11:49:16 -0000
Cc: <interim@xxxxxxxxxxxxxxxxxx>
Delivered-to: mailing list interim@xxxxxxxxxxxxxxxxxx
Delivered-to: moderator for interim@xxxxxxxxxxxxxxxxxx
Delivery-date: Tue, 04 Nov 2003 13:02:06 +0100
Envelope-to: UNIRAS@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Importance: Normal
List-help: <mailto:interim-help@lists.niscc.gov.uk>
List-post: <mailto:interim@lists.niscc.gov.uk>
List-subscribe: <mailto:interim-subscribe@lists.niscc.gov.uk>
List-unsubscribe: <mailto:interim-unsubscribe@lists.niscc.gov.uk>
Mailing-list: contact interim-help@xxxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: <uniras@xxxxxxxxxxxx>

 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 603/03 dated 04.11.03  Time: 12:00
 UNIRAS is part of NISCC(National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====

NISCC Vulnerability Advisory - 006489/SMIME

Vulnerability Issues in Implementations of the S/MIME Protocol 

Version Information 
- -------------------
Advisory Reference      006489/SMIME
Release DatE            4 November 2003
Last Revision           4 November 2003
Version                 Number1.0

What is affected? 
- -----------------
The vulnerabilities described in this advisory affect the S/MIME
protocol, which is typically used to provide security services to
e-mail applications.

Many vendors include support for S/MIME in their products. 

Severity 
- --------
The severity of these vulnerabilities varies by vendor. In some cases,
they could allow an attacker to create a denial-of-service
condition. There are indications that it may be possible to execute
code as a result of a buffer overflow, but this has not been
demonstrated.

Summary 
- -------
During 2002 the University of Oulu Security Programming Group (OUSPG)
discovered a number of implementation specific vulnerabilities in the
Simple Network Management Protocol (SNMP). NISCC has performed and
commissioned further work to identify implementation specific
vulnerabilities in related protocols that are critical to the UK
Critical National Infrastructure. The S/MIME (secure multipurpose
Internet mail extensions), which provides services such as digital
signatures and encryption to e-mail, has been studied in this context.

NISCC has produced a test suite for S/MIME and has employed it to
validate a number of products from different vendors. The test results
have been confirmed, and the affected vendors have been contacted with
the test results. These vendors' product lines cover a great deal of
the existing critical information infrastructure worldwide and have
therefore been addressed as a priority.  However, NISCC has
subsequently contacted other vendors whose products employ S/MIME and
provided them with tools with which to test their implementations.

Details 
- -------
S/MIME is a set of protocols intended to provide security services,
such as digital signatures and encryption, to e-mail. MIME
(multipurpose Internet mail extensions) allows binary objects and
attachments to be sent across an e-mail system; S/MIME specifies a
mechanism by which MIME attachments may be exchanged in a consistent
and secure fashion.

(Although principally used to provide secure e-mail, S/MIME objects
may, in theory, be passed by mechanisms other than e-mail. Such
mechanisms are beyond the scope of this advisory.)

S/MIME extends MIME by including the secure data in an attachment
encoded using ASN.1 (Abstract Syntax Notation One). If one of the
entities in an e-mail system knowingly or unknowingly send an
exceptional ASN.1 element that cannot be handled properly by another
party, the behaviour of the application receiving such an element is
unpredictable. A denial-of-service may result, or there may be an
opportunity for further exploitation. Both client and server software
may be affected in this way.

Vendor specific information will be released as it becomes available,
but information will only be released with vendors'
permission. Subscribers are advised to check the following URL
regularly for updates:

http://www.uniras.gov.uk/vuls/2003/006489/smime.htm 

[Please note that revisions to this advisory will not be notified by
e-mail.]

Solution 
- --------
Please refer to the Vendor Information section of this advisory for
platform specific remediation.

Vendor Information 
- ------------------
A list of vendors affected by this vulnerability is not currently
available.  Please visit the web site,
http://www.uniras.gov.uk/vuls/2003/006489/smime.htm, in order to check
for updates.

Contact Information
- -------------------
The NISCC Vulnerability Management Team can be contacted as follows: 

E-mail           vulteam@xxxxxxxxxxxx 

Please quote the advisory reference in the subject line.

Telephone        +44 (0) 20 7821 1330 Ext 4511 
                 Monday - Friday 08:30 - 17:00 hrs

Fax              +44 (0) 20 7821 1686

Post             Vulnerability Management Team
                 NISCC
                 PO Box 832
                 London
                 SW1P 1BG 

We encourage those who wish to communicate via e-mail to make use of
our PGP key. This is available from

http://www.uniras.gov.uk/UNIRAS.asc 

Please note that UK government protectively marked material should not
be sent to the e-mail address above.

If you wish to be added to our e-mail distribution list please e-mail
your request to uniras@xxxxxxxxxxxxx

What is NISCC? 
- --------------
For further information regarding the UK National Infrastructure
Security Co-ordination Centre, please visit

http://www.niscc.gov.uk/aboutniscc/index.htm 

Reference to any specific commercial product, process, or service by
trade name, trademark manufacturer, or otherwise, does not constitute
or imply its endorsement, recommendation, or favouring by NISCC. The
views and opinions of authors expressed within this notice shall not
be used for advertising or product endorsement purposes.

Neither shall NISCC accept responsibility for any errors or omissions
contained within this briefing notice. In particular, they shall not
be liable for any loss or damage whatsoever, arising from or in
connection with the usage of information contained within this notice.

(C) 2003 Crown Copyright 

<End of NISCC Vulnerability Advisory> 
- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via EMail to:
uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 20 7821 1330 Ext 4511
Fax: +44 (0) 20 7821 1686

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 20 7821 1330 and follow the prompts

- ----------------------------------------------------------------------------------
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBP6eRg4pao72zK539AQHFPgP+LKKXiwh9/yLiO9oomTI51rKvVt4McfXU
30HAY8W8AttfOXel43yGPgmgRIDpcRoUNsskS4BXESKy5UuAN8DxsqVxB0ZNwZhc
huDTFWdBm4q8i9yHoWSTdCPjNuPDRTdB5/WjJvk2t8Q4hYVDo5sB5V9t6nq14pOg
3d4SNTiY+vc=
=nQcM
-----END PGP SIGNATURE-----

Next by Date: UNIRAS Brief - 602/03 - NISCC Vulnerability Advisory 006489/OpenSSL2
Next by thread: UNIRAS Brief - 602/03 - NISCC Vulnerability Advisory 006489/OpenSSL2
Index(es):
- Date
- Thread