n.runs-SA-2013.006 - Microsoft Outlook/Crypto API - Design Bug

[<security () nruns com>]

n.runs professionals GmbH
http://www.nruns.com/                              security(at)nruns.com
n.runs-SA-2013.006                                           12-Nov-2013
________________________________________________________________________
Vendor:             Microsoft, http://www.microsoft.com
Product:            CryptoAPI/Outlook 2007-2013
Vulnerability:      design bug
Tracking IDs:       CVE-2013-3905, MSRC 14508, MS13-094
___________________________________________________________________________
Vendor communication:
2008-01-11: Originally reported to MSRC
2008-04-01: Original advisory release (CVE-2008-3068)
2012-05-08: Update (portscanning, WriteAV) reported to
            MSRC via email
2012-05-15: MS acknowledges the receipt and opens a case
2012/2013:  various status updates
2013-09-10: Patch released for the WriteAV bug 
            (CVE-2013-3870, MS13-068)
2013-11-12: Patch released for the design bug (MS13-094)
___________________________________________________________________________
Overview:

A design bug in X.509 certificate chain validation (RFC 3280)
allows attackers to trigger (blind) HTTP requests for both
external as well as internal IPs if a specially-crafted,
S/MIME-signed email is opened in Microsoft Outlook.

This issue, which has been originally reported in 2008 has been
revisited and timing differences make it possible to identify
open and closed ports on internal networks.

Descriptions:
 
The authority information access id-ad-caIssuers extension can
be used to trigger arbitrary HTTP requests. When triggering
alternated requests to internal and external hosts, timing
differences can be observed and thus it can be determined by
attackers whether ports on internal hosts are open or closed.

For a more detailed description, see our blog post at
http://blog.nruns.com/blog/2013/11/12/A-portscan-by-email-Alex

A proof-of-concept autoresponder replies to empty emails to
smime-http-portscan () klink name with an email which scans the
50 most widely used ports on localhost and contains a link
to the result.

An additional WriteAV bug was identified when a large number of
nested S/MIME messages where being parsed in Outlook 
(CVE-2013-3870, MS13-094).

Impact:

Information disclosure about open/closed ports in internal
networks.

Fixes:

This has been fixed in the November 2013 patch day (MS13-094).

Workarounds:

Block CryptoAPI user agents on an outgoing proxy.
________________________________________________________________________
Credits:
Alexander Klink, n.runs professionals GmbH
________________________________________________________________________
References:
This advisory and upcoming advisories:
http://www.nruns.com/security_advisory.php
________________________________________________________________________
About n.runs:
n.runs professionals GmbH is a vendor-independent consulting company
specialising in the areas of: IT Infrastructure, IT Security and IT Business
Consulting.

Copyright Notice:
Unaltered electronic reproduction of this advisory is permitted. For all
other reproduction or publication, in printing or otherwise, contact
security () nruns com for permission. Use of the advisory constitutes
acceptance for use in an “as is” condition. All warranties are excluded.
In no event shall n.runs be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits or
special damages, even if n.runs has been advised of the possibility of such
damages.
Copyright 2013 n.runs professionals GmbH. All rights reserved. Terms of use
apply.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/