CVE-2005-3027

Vulnerability

Sybari Antigen 8.0 SR2 for Exchange/SMTP fails to properly enforce custom filter rules when processing SMTP messages [1]. A message with the Subject line of "Antigen forwarded attachment" triggers a code path that causes Antigen to ignore user-defined file-extension blocking rules, allowing arbitrary file attachments to pass through virus scanning is not bypassed [1,2]. Versions prior to Antigen 8.0 SR3 (8.00.1517) are affected.

Exploitation

An unauthenticated remote attacker can craft an SMTP message with the Subject line exactly set to "Antigen forwarded attachment" and attach a file of any type. The attacker does not require any prior access, authentication, or user interaction on the target mail system [2]. The message is delivered through the Internet to the vulnerable Antigen server, which then processes it and forwards the attachment to the recipient's inbox without applying custom file-type filters.

Impact

Successful exploitation allows the attacker to bypass an organization's custom email attachment policies, delivering file types that would normally be blocked (e.g., executable scripts, archives with sensitive extensions) into users' mailboxes [1]. This has an integrity impact on the email system's expected filtering behavior [2]; the vulnerability does not affect confidentiality or availability, and virus scanning remains operational.

Mitigation

Sybari released Antigen 8.0 SR3 (Version 8.00.1517) which fixes this vulnerability; administrators should update via the online update mechanism [1,2]. No workaround is described in the available references. The product has since reached end-of-life; however, if still in use, upgrade to the latest supported version is strongly advised.