Network Associates WebShield SMTP Anti-Virus Gateway Fails to Block BadTrans Virus Due to Errors in Processing the MIME Header
SecurityTracker Alert ID: 1002857|
SecurityTracker URL: http://securitytracker.com/id/1002857
(Links to External Site)
Date: Nov 29 2001
Host/resource access via network|
Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): WebShield SMTP for NT 4.5 and 4.5mr1a|
A vulnerability was reported in the Network Associates WebShield SMTP gateway. It fails to properly decode MIME headers and recognize the viral attachment of the BadTrans virus.|
It is reported that WebShield will not block the BadTrans *.scr attachment even if WebShield is configured to filter all messages that have a scr (or pif) attachment. This is reportedly due to the inability of WebShield to properly decode MIME headers.
The vendor has reportedly been notified.
A remote user could pass a virus through WebShield.|
No solution was available at the time of this entry. As a workaround, the vendor recommends adding a content filter rule to disallow messages that contain audio/x-wav in the body of the message. This will reportedly block the affected BadTrans messages but will still not detect the virus.|
Vendor URL: www.nai.com/ (Links to External Site)
|Underlying OS: Windows (NT), Windows (2000)|
Source Message Contents
Subject: NAI Webshield SMTP for WinNT MIME header vuln that allows BadTrans to pass]|
Reported to NAI first time 26.11.2001, again 27.11.2001 and every day
NAI response is at the end of this mail.
NAI WebShield SMTP for NT 4.5mr1a passes (at least in some
through without virus check or content filter check based on attachment
name. One such attachment is BadTrans virus.
WinNT4srv, sp6a, secrollup + few other hotfix, WebShield for NT 4.5 or
this can be reproduced with fresh installation.
Main problem is that mail (send by virus) containing BadTrans.b virus
will pass WebShield. Forwarding same mail outside will result positive
identification of BadTrans virus. If WebShield has content filter saying
all messages that has scr (or pif) in attachment name has to be blocked,
this rule does not apply either.
It seems that NAI WebShield SMTP for NT can't handle all mime headers
properly. One example is below. WebShield can't parse this and it does
not realize that message has attachment. And because it does not realize
there is attachment it won't check it for viruses or against attachment
Received: FROM xxx.xxx.xxx BY xxx.xxx.xxx ; Mon Nov 26 20:36:21 2001 +0200
Received: from xxx.xxx.xxx ([xxx.xxx.xxx.xxx]:35428 "EHLO
xxx.xxx.xxx") by xxx.xxx.xxx with ESMTP id ;
Mon, 26 Nov 2001 16:01:32 +0200
Received: from xxx.xxx (xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx])
by xxx.xxx.xxx (8.11.4/8.11.2) with SMTP id fAQE1Rc16568
for ; Mon, 26 Nov 2001 16:01:27 +0200 (EET)
Date: Mon, 26 Nov 2001 16:01:27 +0200 (EET)
Subject: Re: CV
-------- Original Message --------
From: - Thu Nov 29 15:09:24 2001
BCC: "jari.helenius" <email@example.com>
Date: Thu, 29 Nov 2001 15:09:23 +0200
From: Jari Helenius <firstname.lastname@example.org>
Organization: Mawaron Oy
User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; m18)
Subject: NAI Webshield SMTP for WinNT MIME header vuln that allows
BadTrans to pass
Content-Type: text/plain; charset=us-ascii; format=flowed
Adding rule in content filter that says if you find mail containing
in body of message will stop those messages.
Virus is still not found, but messages will be blocked.
This will block also all other messages with audio/x-wav in text and all
messages that has mime header that WebShield does not understand.
Needless to say, yes we have latest dat, latest engine, compress checks, all
heuristic on and so on...
It is sad to find out that AV vendor does not care problems they have.
In the other hand, what else can be expected from company that have
If we find problems in our products or if we have hotfix,
we will not inform anyone what we have nor put these fixes available
(not even readme:s).
If a customer can describe problem that we have already fixed, we might
send fix to them if we are in good mood.
NAI response and snip of my mail that they responded
Thank you for the sample. We have determined that this is a known virus
which can be detected and removed.
There may be a problem with WebShield catching this virus.
The first thing we would suggest is to upgrade to 4173 DAT which has
improved detection capability.
If this doesn't help, we recommend that you get in touch with Technical
Support as this is a product issue and it does need to be addressed and
The address to send this kind of issues to is: email@example.com
Part of my mail they responded to
I know that this virus can be identified and removed with current dat.
(we are using WebShield SMTP 4.5mr1a with latest dat and engine and all
heuristic all attachments and compact options). If I forward received
mail that has this virus it will be found.
Problem is that Webshield does not recognize that mail has attachment.
It does not check it; it does not catch it in content filter. And if it
does not recognize that mail has attachment it does not stop this mail.
We have verified 12 passed viruses (all with similar headers), 5
deferred mails (when we stopped mail inside of our network and did let
webshield check incoming mails, sample was one of those mails.