Jump to content


Photo

Gaping security hole in ESS content filtering

content filter security hole

  • Please log in to reply
4 replies to this topic

#1 Anthony Mabes

Anthony Mabes
  • Members
  • 6 posts

Posted 07 June 2017 - 10:28 AM

Today, I noticed attempts by bad actors to send in docx word files that are encrypted using the "protect document" feature of Microsoft Word.  As I have with word documents containing macros, I created a content filter to block a string that appears in every encrypted Word Docx.  Specifically blocking "encryptedHmacKey=" (without quotes), since it appears in the raw text of an encrypted docx file, *should* stop this threat quickly and easily.  

 

It didn't work.  My test docx documents got through.  I sent a simple text document with the banned content.  Blocked.  Word doc, sails though. Changed the extension on the test word doc to .txt and it was blocked.  Something is not working as advertised.

 

After a conversation with support, they allowed as how their content filter attempts to open a word document as a word document and scan the content, instead of just scanning the raw text. since the file contents are encrypted, the scanner fails and the attachment sails right through.  

 

This is a HUGE hole.  This needs to be fixed.  



#2 Michelle Exner

Michelle Exner

    BSF / BESS Moderator

  • Moderators
  • 397 posts

Posted 07 June 2017 - 10:48 AM

We are aware of this limitation.

Note that Attachment Content filters are looking for Content in the attachment (what you can read) and not the control features of the document so to scan any Microsoft document we need to be able to open it.

Documents that are natively protected by the program can not be opened so we can't read them.

We are working on a feature similar to "Block Password Protected Archives" which you will be able to turn on to stop this mail.

 


Michelle Exner
Product Lead Support Engineer
Barracuda Email Security
(408) 342-5300


#3 Anthony Mabes

Anthony Mabes
  • Members
  • 6 posts

Posted 08 June 2017 - 06:49 AM

That's a huge fail security wise.  Bad actors specially craft files designed to break file filters and have for years.  

 

Give me some control over what happens if an attachment is unreadable by your file filters.  

 

You SHOULDN'T need to be able to open and fully interpret a document to inspect the contents for unwanted features like executable code, encryption, etc.  I don't want anything that's not been vetted though a virus scanner allowed to sail straight in to my network.  



#4 Michelle Exner

Michelle Exner

    BSF / BESS Moderator

  • Moderators
  • 397 posts

Posted 08 June 2017 - 10:22 AM

Anthony,

I'm not aware of any virus scanner that opens and filters encrypted mail.

If someone is sending mail with an attachment that requires a password and that password is included in the email with the attachment then the mail should be deleted as there was no point to the password protection other then to bypass virus scanners. The document isn't secure because the password is included with the email.

This is something that you should stress to your users,

I don't see any time where we will mime-convert an attachment and then look in the raw data for content. Doing this could easily result in our units being compromised by malicious code. That is why all attachments are mime encoded to prevent command and control strings being in emails.

As noted we hope to have the option to block/quarantine MS password protected files in a future release.

 


Michelle Exner
Product Lead Support Engineer
Barracuda Email Security
(408) 342-5300


#5 Nate Gagne

Nate Gagne
  • Members
  • 3 posts

Posted 01 December 2017 - 02:32 PM

It's been six months and no new releases in a product that clearly is not adapting to the challenges it's trying to solve. We need this functionality.  When can we expect it?