-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AMaViS Security Announcement Date: 23/11/2001 08/26/2002 (updated version) affected version(s): AMaViS-0.2.1, if reformime is used amavis-perl/amavisd is _NOT_ affected Vulnerability Type: eMail worm W32/Aliz may not be detected in all cases Priority: urgent Solution: upgrade to amavis-perl/amavisd update to the latest reformime or use ripMIME instead Author: Rainer Link Lars Hecking Advisory ID: ASA-2001-1 - ---------------------------------------------------------------------------- 1. Problem description AMaViS uses reformime to split a mail message into parts, i.e. the mail body and the attachment file(s). The file(s) are written to the directory /var/tmp/scanmails/unpacked by default. reformime is not able to handle any message where the mail header contains a MIME Content-Type header followed by whitespace indented header lines, e.g. Content-Type: multipart/mixed; boundary="bound" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1300 Therefore /var/tmp/scanmails/unpacked is empty and no known virus/worm will be detected by the used virus scanner(s). 2. Impact It is possible that the W32/Aliz worm is not detected and an infected eMail is delivered to the user. NOTE: metamail is able to handle such mails correctly, but fails to handle multipart/alternative messages (in some cases?). Please see the AMaViS Security Announcement 2000-1 for details. 3. Solution We strongly recommend to upgrade to amavis-perl/amavisd, as the development of AMaViS 0.2.x branch has been discontinued since July, 2001 (http://marc.theaimsgroup.com/?l=amavis-announce&m=99530451203949&w=2) As upgrading could be a big step which takes some time, please either update to the latest reformime release (maildrop 1.3.6 or later) from http://www.courier-mta.org/download.php#maildrop or use the following workaraound/fix: 1. Grab the latest ripMIME from http://www.pldaniels.com/ripmime/#downloads 2. Install it 3. Open /usr/sbin/scanmails in your favorite editor and 3.1 search for the line metamail= in the configuration section of the scanmails script. Change this to the location of ripmime, i.e. to metamail=/usr/local/bin/ripmime 3.2 Search for the following line ${metamail} -x ${tmpdir}/unpacked/ < ${tmpdir}/receivedmail > /dev/null 2>&1 Change this to ${metamail} -d ${tmpdir}/unpacked/ -i ${tmpdir}/receivedmail --unique_names > /dev/null 2>&1 4. Save the file 5. Generate a test message with the EICAR Test-File-Virus (http://www.eicar.com/anti_virus_test_file.htm) to check if ripMIME is configured correctly within the scanmails script. 4. Acknowledgement We would like to thank Ger Donohue, Mark Martinec and Enrico Binder for reporting this problem to us and everyone who send us mail samples to reproduce it. Also thanks to Sam Varshavchik for releasing fixed version of maildrop/reformime. 5. References http://www.linux.ie/pipermail/ilug/2001-November/039609.html http://sourceforge.net/tracker/index.php?func=detail&aid=484273&group_id=6006&at id=106006 http://sourceforge.net/tracker/index.php?func=detail&aid=484273&group_id=6006&atid=106006 http://sourceforge.net/tracker/index.php?func=detail&aid=484522&group_id=6006&atid=106006 http://marc.theaimsgroup.com/?t=100643616600009&w=2&r=1 http://marc.theaimsgroup.com/?l=amavis-user&m=100644967914633&w=2 http://www.amavis.org/security/asa-2000-1.txt http://www.amavis.org/ 6. Revision History 22/11/2001: Initial release 23/11/2001: Solution section updated Re-issued as the script is /usr/sbin/scanmails 27/11/2001: Solution section updated as the latest reformime fixes this issue 08/26/2002: Re-issued, as --unique_names is needed for the ripMIME call to avoid overwriting of existing files =========================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Weitere Infos: siehe http://www.gnupg.org iD8DBQE9agXYmxoFTBO0QHkRAj6wAKCzDwvqKuX4VhZ+ECVOd9TPW2JODgCgn37y D+Oul18hiVP8VrSrW5Bw0sY= =EP+Q -----END PGP SIGNATURE-----