Microsoft CryptoAPI / Outlook 2007-2013 Design Bug

2013.11.13
Credit: n.runs
Risk: Medium
Local: Yes
Remote: No
CWE: N/A

n.runs professionals GmbH http://www.nruns.com/ security(at)nruns.com n.runs-SA-2013.006 12-Nov-2013 ________________________________________________________________________ Vendor: Microsoft, http://www.microsoft.com Product: CryptoAPI/Outlook 2007-2013 Vulnerability: design bug Tracking IDs: CVE-2013-3905, MSRC 14508, MS13-094 ___________________________________________________________________________ Vendor communication: 2008-01-11: Originally reported to MSRC 2008-04-01: Original advisory release (CVE-2008-3068) 2012-05-08: Update (portscanning, WriteAV) reported to MSRC via email 2012-05-15: MS acknowledges the receipt and opens a case 2012/2013: various status updates 2013-09-10: Patch released for the WriteAV bug (CVE-2013-3870, MS13-068) 2013-11-12: Patch released for the design bug (MS13-094) ___________________________________________________________________________ Overview: A design bug in X.509 certificate chain validation (RFC 3280) allows attackers to trigger (blind) HTTP requests for both external as well as internal IPs if a specially-crafted, S/MIME-signed email is opened in Microsoft Outlook. This issue, which has been originally reported in 2008 has been revisited and timing differences make it possible to identify open and closed ports on internal networks. Descriptions: The authority information access id-ad-caIssuers extension can be used to trigger arbitrary HTTP requests. When triggering alternated requests to internal and external hosts, timing differences can be observed and thus it can be determined by attackers whether ports on internal hosts are open or closed. For a more detailed description, see our blog post at http://blog.nruns.com/blog/2013/11/12/A-portscan-by-email-Alex A proof-of-concept autoresponder replies to empty emails to smime-http-portscan@klink.name with an email which scans the 50 most widely used ports on localhost and contains a link to the result. An additional WriteAV bug was identified when a large number of nested S/MIME messages where being parsed in Outlook (CVE-2013-3870, MS13-094). Impact: Information disclosure about open/closed ports in internal networks. Fixes: This has been fixed in the November 2013 patch day (MS13-094). Workarounds: Block CryptoAPI user agents on an outgoing proxy. ________________________________________________________________________ Credits: Alexander Klink, n.runs professionals GmbH ________________________________________________________________________ References: This advisory and upcoming advisories: http://www.nruns.com/security_advisory.php ________________________________________________________________________ About n.runs: n.runs professionals GmbH is a vendor-independent consulting company specialising in the areas of: IT Infrastructure, IT Security and IT Business Consulting. Copyright Notice: Unaltered electronic reproduction of this advisory is permitted. For all other reproduction or publication, in printing or otherwise, contact security@nruns.com for permission. Use of the advisory constitutes acceptance for use in an as is condition. All warranties are excluded. In no event shall n.runs be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if n.runs has been advised of the possibility of such damages. Copyright 2013 n.runs professionals GmbH. All rights reserved. Terms of use apply.

References:

http://blog.nruns.com/blog/2013/11/12/A-portscan-by-email-Alex


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top