Corsaire Warn Clearswift of Issues with MIME Evasion Within CS MAILsweeper

March 3, 2003 – Corsaire, www.corsaire.com, an independent information security consultancy, has discovered an issue with the way Clearswift’s content security gateway product CS MAILsweeper TM handles MIME encapsulation, potentially causing deliberately malformed attachments to evade the defined security policies.

The CS MAILsweeper TM product is an SMTP mail relay that provides advanced, policy based content security functionality. Part of this functionality allows the relay to block attachments based on their content. However, by using malformed MIME encapsulation techniques this functionality can be evaded.

The attachment detection functionality works by recursively analysing the SMTP message body and attachments for container constructs (such as MIME), decoding these and then comparing the contents against a predefined policy. If a deliberately malformed MIME encapsulation technique is used, then Clearswift’s CS MAILsweeper TM will not recognise the attachment and allows it to pass unhindered.

Corsaire discovered the issue when investigating a recent unrelated Internet Explorer exploit.

“When the Internet Explorer Embedded HTML Executable alert was raised, this immediately prompted a line of thought into the viability of the content gateway products to detect and stop this kind of threat at the corporate boundary”, commented Martin O’Neal, Technical Director at Corsaire.

He continued, “When we found this vulnerability in CS MAILsweeper TM, we were particularly concerned; being the market leader in this area, such a vulnerability would leave many organisations unwittingly exposed.”

Corsaire immediately notified their client base to the potential flaw (without exposing any of the details), and passed a full advisory on to Clearswift so that a permanent solution might be developed.

Clearswift have also taken steps to alert their registered customers to the potential issue, and have provided a freely downloadable update to their script detection product to allow this type of malformed MIME encapsulation to be detected. The script tool installation pack can be downloaded from: http://www.clearswift.com/support/threatlab/vbstool.asp

About Corsaire
With over 6 years experience in providing network security solutions to the private, public and non-profit sectors, including the FTSE 100, Corsaire is considered the UK’s leading specialist in the delivery of network security design, implementation and management. Whilst offering a broad range of bespoke solutions that are based on industry standards & guidelines, Corsaire adopts a consultative approach and combines a vendor neutral policy with knowledge-share to deliver impartial, up-to-date, personable advice. Corsaire is respected for its contribution to R&D, its consistent, high-level service delivery and an ability to combine technical and commercial excellence within the workplace.