______________________________________________________________________

  From the low-hanging-fruit-department - IBM /ISS Proventia evasion 
______________________________________________________________________

Release mode: Forced disclosure, no answer from vendor.
Ref         : TZO-06-2009-IBM Proventia
WWW         : http://blog.zoller.lu/2009/04/ibm-proventia-evasion-limited-details.html
Vendor      : http://www.ibm.com
Security notification reaction rating : Catastrophic (see Timeline)

Disclosure Policy : 
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products : IBM Proventia engine (minimum 4.9.0.0.44 20081231 
Official Release) other products using the engine are likely to be 
affected too. As IBM has not cooperated in any way and I have better 
things to do than to test IBM products for free I cannot state all 
affected products, if you are an IBM/ISS customer please call IBM 
support and request more details.


About this advisory
-------------------
I used to not report bugs publicly where a a vendor - has not reacted 
to my notifications - silently patched. I also did not publish
low hanging fruits as they make you look silly in the eyes of your
 peers.

Over the past years I had the chace to audit and test a lot of critical 
infrastructures that (also) relied on products (and about security 
notification from vendors) and have witnessed various ways of setting 
up your defenses that make some bugs critical that you'd consider low, 
I came to the conclusion that most bugs deserve disclosure. 

Please see "Common misconceptions" for more information.

I. Background
~~~~~~~~~~~~~
IBM Internet Security Systems (ISS) offers a comprehensive portfolio 
of IT security products and services for organizations of all sizes. 

IBM Proventia Network Mail Security System and IBM Proventia 
Network Mail Security System Virtual Appliance provide spam 
control and preemptive protection for your messaging 
infrastructure.

Proventia Network Mail is the only email security solution equipped 
with the IBM Intrusion Prevention System (IPS) engine and a behavioral 
genotype (SIC!) anti-virus technology, along with remote malware 
detection and Sophos signature-based anti-virus. 

II. Description
~~~~~~~~~~~~~~~
The parsing engine can be bypassed by manipulating RAR archive in 
a "certain way" that the IBM engine cannot extract the content but
the end user is able to. Details are currently witheld (see below).

A professional reaction to a vulnerability notification is a way 
to measure the maturity of a vendor in terms of security. IBM is 
given a grace period of two (2) weeks to reply to my notification.
Failure to do so will resulting in POC being released in two (2) 
weeks. If IBM is not aware of how to deal with security notifications
I recommend them to read my security notification response draft on 
how to do so at  
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

As this bug has not been reproduced by the vendor, this advisory 
relies on the assumption that my tests were conclusive. 

I would like to thank AV-Tests GMBH for the cooperation.

III. Impact
~~~~~~~~~~~
The bug results in denying the engine the possibility to inspect
code within the RAR archive. While the impact might be low client-
side (as code is inspected upon extraction by the user) the impact
for gateways or AV infrastructure where the archive is not extracted 
is considerable. There is no inspection of the content at all, prior 
disclosure therefore refered to this class of bugs as Denial of service 
(you deny the service of the scan engine for that file) however I 
choose to stick the terms of evasion/bypass, being the primary impact 
of these types of bugs.

PS. I am aware that there are hundreds of ways to bypass, that however
doesn't make it less of a problem. I am waiting for the day where the 
first worm uses these techniques to stay undetected over a longer 
period of time, as depending on the evasion a kernel update (engine 
update) is necessary and sig updates do not suffice. Resulting in 
longer window of exposure - at least for GW solutions. *Must make 
confiker reference here*


IV. Common misconceptions about this "bug class"
--------------------------------------------------
- This has the same effect as adding a password to a ZIP file

The scanner denotes files that are passworded, an example is an E-mail
GW scanner that adds "Attachement not scanned" to the subject line or
otherwise indicates that the file was not scanned. This is not the case
with bypasses, in most cases the engine has not inspected the content
at all or has inspected it in a different way.
Additionaly passworded archive files are easily filterable by a content
policy, allowing or denying them.

- This is only an issue with gateway products

Every environment where the archive is not actively extracted by 
the end-user is affected. For example, fileservers, databases
etc. pp. Over the years I saw the strangest environments that 
were affected by this type of "bug". My position is that customers
deserve better security than this.

- If this is exploited by a worm it will be fixed within minutes.
Some bypasses required modifications in the AV "kernel" and cannot be
fixed with a signature update. As such it would not only take longer
but for those clients that do no push binary updates immediately 
increase the window of exposure consistently.

- Behavioral analysis will catch this ?
No, the content is unreadable to the AV engine as such no inspection
whatsoever is possible.

- Evasions are the Cross Site scripting of File formats bugs
Yes.


IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~

IBM was sent two POC files, an explanation and the disclosure terms 
(http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html)

09/03/2009 : Send proof of concept, description the terms under which 
             I cooperate and the planned disclosure date (23/03/2009)
             Note: The security contact adress listed in OSVDB was used.
                         
                               No reply.
                         
13/03/2009 : Resend email indicating this is the last attempt to 
             coordinate disclosure
             
                               No reply.

23/03/2009 : Send another Report and a second POC

                               No reply.
                                 
02/04/2009 : Publication of a limited detail advisory, grace period of
             2 weeks given to IBM prior to full detail advisory.






-- 
http://secdev.zoller.lu
Thierry Zoller