Software Engineering Institute

The U.K. National Infrastructure Security Co-ordination Center (NISCC) has reported multiple vulnerabilities in different vendors' implementations of the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol. S/MIME allows binary objects and attachments to be sent across an email system. S/MIME extends the MIME specification by including the secure data in an attachment encoded using ASN.1. If one of the entities in an email system knowingly or unknowingly send an exceptional ASN.1 element that cannot be handled properly by another party, the behavior of the application receiving such an element is unpredictable.

A test suite developed by NISCC has exposed vulnerabilities in a variety of S/MIME implementations. While most of these vulnerabilities exist in ASN.1 parsing routines, some vulnerabilities may occur elsewhere. Note that cryptographic libraries that implement S/MIME frequently provide more general-purpose cryptographic utility. In such libraries, it is common for ASN.1 parsing code to be shared between S/MIME and other cryptographic functions.

Due to the general lack of specific vulnerability information, this document covers multiple vulnerabilities in different S/MIME implementations. Information about individual vendors is available in the Systems Affected section.

Further information is available in NISCC Vulnerability Advisory - 006489/SMIME

The impacts associated with these vulnerabilities include denial of service, and potential execution of arbitrary code.

Patch or Upgrade

Apply a patch or upgrade as appropriate. Information about specific vendors is available in the Systems Affected section of this document.