Vigil@nce - Symantec Encryption Desktop: denial of service via compressed encrypted e-mail
September 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can send special compressed messages to a user of
Symantec Encryption Desktop, in order to trigger a denial of
service.
Impacted products: Symantec Encryption Desktop
Severity: 2/4
Creation date: 22/08/2014
DESCRIPTION OF THE VULNERABILITY
The Symantec Encryption Desktop product offers functions to
encrypt e-mail.
Encrypted messages are ofter compressed before being actually
encrypted. The size of a decompressed message is not predictable.
However, Symantec Encryption Desktop does not enforce limits to
the uncompress process. An attacker can do build a message the
processing of which will require a large amount of memory, CPU
time and perhaps disk space.
An attacker can therefore send a special compressed message to a
user of Symantec Encryption Desktop, in order to trigger a denial
of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN