what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

CSIS2005-1.txt

CSIS2005-1.txt
Posted Jan 4, 2005
Authored by Peter Kruse | Site csis.dk

CSIS Security Advisory - A remote denial of service condition exists in GFI MailEssentials due to a bug in Microsoft HTML parser.

tags | advisory, remote, denial of service
advisories | CVE-2004-1312
SHA-256 | 93a62c307daaa9ca746db431d7b8fb66de75b06bc9da6b585f7af7c6cb25c7fd

CSIS2005-1.txt

Change Mirror Download
CSIS Security Advisory: [CSIS2005-1)

Remote DoS in GFI MailEssentials due to a bug in Microsoft HTML parser

Date Published: 3rd of January 2005

Product description:
GFI MailEssentials for Exchange/SMTP offers spam protection and email
management at server level. GFI MailEssentials offers a fast set-up and a
high spam detection rate using Bayesian analysis and other methods - no
configuration required, very low false positives through its automatic
whitelist, and the ability to automatically adapt to your email environment
to constantly tune and improve spam detection. GFI MailEssentials also adds
email management tools to your mail server: disclaimers, mail archiving and
monitoring, Internet mail reporting, list server, server-based auto replies
and POP3 downloading.

Summary:
Specially crafted HTML emails could cause GFI MailSecurity and GFI
MailEssentials to stop processing, with emails getting stuck in the IIS
queue or Exchange pre-submission queues. There will be no error indications
other than MailQueue stops processing. Restarting the server or services
will not help. The flaw will occur when MailEssentioals processes the
strings in an email subject, body or in an attached text file. Exploitation
is trivial.


Vulnerability Class:
This flaw affects all tested versions of GFI MailEssentials and will cause a
remote Denial of Service.
Not tested are other programs making use of Microsoft HTML parser.


Details:
CSIS has discovered a flaw in GFI MailEssentials 9 and 10.x and GFI
MailSecurity 8.x where a specially crafted HTML email causes the products to
stop processing, resulting in emails getting stuck in the IIS/Exchange
queues.

The problem lies in a Microsoft HTML library that is made use of by a GFI
library, common to GFI MailSecurity and GFI MailEssentials.

A malicious user can exploit this flaw and craft an e-mail containing a
specially crafted javascript. When the e-mail containing the javascript is
received by MailEssentials, it will be processed resulting in a DoS. The
mail will reside in the queues until it's manually removed. If the server is
rebooted without removing the affected mail from the queues, the same mail
gets processed again and again and a new DoS will occur. MailEssentials will
not process any other in- or outbound e-mails until this mail is completely
removed from the bad mail queue. This is a ugly scenario since you'll end up
looking for a needle in a haystack.

CSIS would like to underline that this flaw is really a result of a bug in
Microsoft HTML parser. As such, this problem is not directly related to GFI.
We suspect other products are vulnerable as well.

Impact:
Medium-High: This is a remote DoS. Leaving no trace, no warnings and no
indication of which e-mail causing the problem.

Solution:
A fix has been released:

GFI MailEssentials 10.x -
ftp://ftp.gfi.com/patches/ME10_PATCH_20041220_01.zip
GFI MailEssentials 9 - ftp://ftp.gfi.com/patches/me9_PATCH_20041220_01.zip
GFI MailSecurity 8.x - ftp://ftp.gfi.com/patches/MSEC8_PATCH_20041220_01.zip

It's strongly recommended to apply these patches as soon as possible. Also
it would be wise to set up an alert mechanism monitoring number of mails in
queue. CSIS also recommend using the GFI monitor function to see if mails
gets processed at regular intervals.

Affected Products:
GFI MailSecurity 8.x
GFI MailEssentials 9
GFI MailEssentials 10.x

Running on Microsoft Windows 2000 Server with all relevant patches
installed.

CSIS would like to thank GFI for a quick and professional response. It took
only 5 days for GFI to troubleshoot and fix this issue!

CVE:
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CAN-2004-1312 to this issue. This is a candidate for inclusion in the CVE
list (http://cve.mitre.org), which standardizes names for security problems.

Links
For more information about the patches see GFI KB article:
http://kbase.gfi.com/showarticle.asp?id=KBID002249

This advisory can also be found at our website:
http://www.csis.dk/default.asp?m=1&a=194

---
Med venlig hilsen // Kind regards

Peter Kruse, Voice: (+45) 88136030
Security- and virusanalyst, Cel (+45) 28490532
CSIS ApS Fax (+45) 28176030
http://www.csis.dk E-mail pkr@csis.dk

PGP fingerprint
79FD 0648 158E 6B9E 236F CFDA 7C58 64D6 BE83 FA60

Combined Services & Integrated Solutions
Gevnø Gade 11a
4660 Store Heddinge, Denmark

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close