Date: Thu, 2 Apr 2009 17:10:48 +0200
From: Thierry Zoller <Thierry@Zoller.lu.>
To: NTBUGTRAQ <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM.>,
Subject: [TZO-06-2009] IBM Proventia - Generic bypass (Limited disclosure - see details)
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-15
Content-Transfer-Encoding: 8bit
X-Originating-IP: 91.50.84.95
X-Virus-Scanned: antivirus-gw at tyumen.ru
______________________________________________________________________
From the low-hanging-fruit-department - IBM /ISS Proventia evasion
______________________________________________________________________
Release mode: Forced disclosure, no answer from vendor.
Ref : TZO-06-2009-IBM Proventia
WWW : http://blog.zoller.lu/2009/04/ibm-proventia-evasion-limited-details.html
Vendor : http://www.ibm.com
Security notification reaction rating : Catastrophic (see Timeline)
Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html
Affected products : IBM Proventia engine (minimum 4.9.0.0.44 20081231
Official Release) other products using the engine are likely to be
affected too. As IBM has not cooperated in any way and I have better
things to do than to test IBM products for free I cannot state all
affected products, if you are an IBM/ISS customer please call IBM
support and request more details.
About this advisory
I used to not report bugs publicly where a a vendor - has not reacted
to my notifications - silently patched. I also did not publish
low hanging fruits as they make you look silly in the eyes of your
peers.
Over the past years I had the chace to audit and test a lot of critical
infrastructures that (also) relied on products (and about security
notification from vendors) and have witnessed various ways of setting
up your defenses that make some bugs critical that you'd consider low,
I came to the conclusion that most bugs deserve disclosure.
Please see "Common misconceptions" for more information.
I. Background
~~~~~~~~~~~~~
IBM Internet Security Systems (ISS) offers a comprehensive portfolio
of IT security products and services for organizations of all sizes.
IBM Proventia Network Mail Security System and IBM Proventia
Network Mail Security System Virtual Appliance provide spam
control and preemptive protection for your messaging
infrastructure.
Proventia Network Mail is the only email security solution equipped
with the IBM Intrusion Prevention System (IPS) engine and a behavioral
genotype (SIC!) anti-virus technology, along with remote malware
detection and Sophos signature-based anti-virus.
II. Description
~~~~~~~~~~~~~~~
The parsing engine can be bypassed by manipulating RAR archive in
a "certain way" that the IBM engine cannot extract the content but
the end user is able to. Details are currently witheld (see below).
A professional reaction to a vulnerability notification is a way
to measure the maturity of a vendor in terms of security. IBM is
given a grace period of two (2) weeks to reply to my notification.
Failure to do so will resulting in POC being released in two (2)
weeks. If IBM is not aware of how to deal with security notifications
I recommend them to read my security notification response draft on
how to do so at
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html
As this bug has not been reproduced by the vendor, this advisory
relies on the assumption that my tests were conclusive.
I would like to thank AV-Tests GMBH for the cooperation.
III. Impact
~~~~~~~~~~~
The bug results in denying the engine the possibility to inspect
code within the RAR archive. While the impact might be low client-
side (as code is inspected upon extraction by the user) the impact
for gateways or AV infrastructure where the archive is not extracted
is considerable. There is no inspection of the content at all, prior
disclosure therefore refered to this class of bugs as Denial of service
(you deny the service of the scan engine for that file) however I
choose to stick the terms of evasion/bypass, being the primary impact
of these types of bugs.
PS. I am aware that there are hundreds of ways to bypass, that however
doesn't make it less of a problem. I am waiting for the day where the
first worm uses these techniques to stay undetected over a longer
period of time, as depending on the evasion a kernel update (engine
update) is necessary and sig updates do not suffice. Resulting in
longer window of exposure - at least for GW solutions. *Must make
confiker reference here*
IV. Common misconceptions about this "bug class"
--------------------------------------------------
- This has the same effect as adding a password to a ZIP file
The scanner denotes files that are passworded, an example is an E-mail
GW scanner that adds "Attachement not scanned" to the subject line or
otherwise indicates that the file was not scanned. This is not the case
with bypasses, in most cases the engine has not inspected the content
at all or has inspected it in a different way.
Additionaly passworded archive files are easily filterable by a content
policy, allowing or denying them.
- This is only an issue with gateway products
Every environment where the archive is not actively extracted by
the end-user is affected. For example, fileservers, databases
etc. pp. Over the years I saw the strangest environments that
were affected by this type of "bug". My position is that customers
deserve better security than this.
- If this is exploited by a worm it will be fixed within minutes.
Some bypasses required modifications in the AV "kernel" and cannot be
fixed with a signature update. As such it would not only take longer
but for those clients that do no push binary updates immediately
increase the window of exposure consistently.
- Behavioral analysis will catch this ?
No, the content is unreadable to the AV engine as such no inspection
whatsoever is possible.
- Evasions are the Cross Site scripting of File formats bugs
Yes.
IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~
IBM was sent two POC files, an explanation and the disclosure terms
(http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html)
09/03/2009 : Send proof of concept, description the terms under which
I cooperate and the planned disclosure date (23/03/2009)
Note: The security contact adress listed in OSVDB was used.
No reply.
13/03/2009 : Resend email indicating this is the last attempt to
coordinate disclosure
No reply.
23/03/2009 : Send another Report and a second POC
No reply.
02/04/2009 : Publication of a limited detail advisory, grace period of
2 weeks given to IBM prior to full detail advisory.
--
http://secdev.zoller.lu
Thierry Zoller