______________________________________________________________________ From the low-hanging-fruit-department - IBM /ISS Proventia evasion ______________________________________________________________________ Release mode: Forced disclosure, no answer from vendor. Ref : TZO-06-2009-IBM Proventia WWW : http://blog.zoller.lu/2009/04/ibm-proventia-evasion-limited-details.html Vendor : http://www.ibm.com Security notification reaction rating : Catastrophic (see Timeline) Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html Affected products : IBM Proventia engine (minimum 4.9.0.0.44 20081231 Official Release) other products using the engine are likely to be affected too. As IBM has not cooperated in any way and I have better things to do than to test IBM products for free I cannot state all affected products, if you are an IBM/ISS customer please call IBM support and request more details. About this advisory ------------------- I used to not report bugs publicly where a a vendor - has not reacted to my notifications - silently patched. I also did not publish low hanging fruits as they make you look silly in the eyes of your peers. Over the past years I had the chace to audit and test a lot of critical infrastructures that (also) relied on products (and about security notification from vendors) and have witnessed various ways of setting up your defenses that make some bugs critical that you'd consider low, I came to the conclusion that most bugs deserve disclosure. Please see "Common misconceptions" for more information. I. Background ~~~~~~~~~~~~~ IBM Internet Security Systems (ISS) offers a comprehensive portfolio of IT security products and services for organizations of all sizes. IBM Proventia Network Mail Security System and IBM Proventia Network Mail Security System Virtual Appliance provide spam control and preemptive protection for your messaging infrastructure. Proventia Network Mail is the only email security solution equipped with the IBM Intrusion Prevention System (IPS) engine and a behavioral genotype (SIC!) anti-virus technology, along with remote malware detection and Sophos signature-based anti-virus. II. Description ~~~~~~~~~~~~~~~ The parsing engine can be bypassed by manipulating RAR archive in a "certain way" that the IBM engine cannot extract the content but the end user is able to. Details are currently witheld (see below). A professional reaction to a vulnerability notification is a way to measure the maturity of a vendor in terms of security. IBM is given a grace period of two (2) weeks to reply to my notification. Failure to do so will resulting in POC being released in two (2) weeks. If IBM is not aware of how to deal with security notifications I recommend them to read my security notification response draft on how to do so at http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html As this bug has not been reproduced by the vendor, this advisory relies on the assumption that my tests were conclusive. I would like to thank AV-Tests GMBH for the cooperation. III. Impact ~~~~~~~~~~~ The bug results in denying the engine the possibility to inspect code within the RAR archive. While the impact might be low client- side (as code is inspected upon extraction by the user) the impact for gateways or AV infrastructure where the archive is not extracted is considerable. There is no inspection of the content at all, prior disclosure therefore refered to this class of bugs as Denial of service (you deny the service of the scan engine for that file) however I choose to stick the terms of evasion/bypass, being the primary impact of these types of bugs. PS. I am aware that there are hundreds of ways to bypass, that however doesn't make it less of a problem. I am waiting for the day where the first worm uses these techniques to stay undetected over a longer period of time, as depending on the evasion a kernel update (engine update) is necessary and sig updates do not suffice. Resulting in longer window of exposure - at least for GW solutions. *Must make confiker reference here* IV. Common misconceptions about this "bug class" -------------------------------------------------- - This has the same effect as adding a password to a ZIP file The scanner denotes files that are passworded, an example is an E-mail GW scanner that adds "Attachement not scanned" to the subject line or otherwise indicates that the file was not scanned. This is not the case with bypasses, in most cases the engine has not inspected the content at all or has inspected it in a different way. Additionaly passworded archive files are easily filterable by a content policy, allowing or denying them. - This is only an issue with gateway products Every environment where the archive is not actively extracted by the end-user is affected. For example, fileservers, databases etc. pp. Over the years I saw the strangest environments that were affected by this type of "bug". My position is that customers deserve better security than this. - If this is exploited by a worm it will be fixed within minutes. Some bypasses required modifications in the AV "kernel" and cannot be fixed with a signature update. As such it would not only take longer but for those clients that do no push binary updates immediately increase the window of exposure consistently. - Behavioral analysis will catch this ? No, the content is unreadable to the AV engine as such no inspection whatsoever is possible. - Evasions are the Cross Site scripting of File formats bugs Yes. IV. Disclosure timeline ~~~~~~~~~~~~~~~~~~~~~~~~~ IBM was sent two POC files, an explanation and the disclosure terms (http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html) 09/03/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date (23/03/2009) Note: The security contact adress listed in OSVDB was used. No reply. 13/03/2009 : Resend email indicating this is the last attempt to coordinate disclosure No reply. 23/03/2009 : Send another Report and a second POC No reply. 02/04/2009 : Publication of a limited detail advisory, grace period of 2 weeks given to IBM prior to full detail advisory. -- http://secdev.zoller.lu Thierry Zoller