CVE-2014-3436 in PGP Desktopinfo

Summary

by MITRE

Symantec Encryption Desktop 10.3.x before 10.3.2 MP3, and Symantec PGP Desktop 10.0.x through 10.2.x, allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted encrypted e-mail message that decompresses to a larger size.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 02/11/2022

Symantec Encryption Desktop and PGP Desktop products suffered from a critical denial of service vulnerability that exploited decompression bomb techniques to consume excessive system resources. This vulnerability affected versions 10.3.x prior to 10.3.2 MP3 and 10.0.x through 10.2.x of the software, creating a significant risk for organizations relying on these encryption solutions for email security. The flaw specifically targeted the decompression handling mechanism within the email decryption process, where maliciously crafted encrypted messages could trigger unlimited resource consumption.

The technical implementation of this vulnerability exploited the decompression algorithms used in the email decryption pipeline. When a specially crafted encrypted email message was processed, the decompression routine would decompress the data to an unexpectedly large size, causing the system to consume excessive cpu cycles and memory resources. This type of attack falls under the category of resource exhaustion attacks, where attackers leverage the legitimate functionality of a system to consume resources beyond normal operational limits. The vulnerability demonstrates a classic flaw in input validation and resource management where the system failed to implement proper size limits or resource consumption monitoring during decompression operations.

The operational impact of CVE-2014-3436 was severe for affected organizations, as it allowed remote attackers to disrupt email services and potentially cause system instability. When exploited, the vulnerability could cause sustained high cpu utilization and memory consumption, leading to system slowdowns or complete service denial. This attack vector was particularly dangerous because it could be executed remotely without requiring authentication, making it accessible to any attacker who could send malicious emails to targeted users. Organizations using these encryption solutions faced potential business disruption and increased risk of operational downtime, especially in environments where email availability was critical for business operations.

This vulnerability aligns with CWE-400, which addresses "Uncontrolled Resource Consumption" and specifically relates to the improper handling of compressed data that can lead to resource exhaustion. The attack pattern follows the techniques described in the ATT&CK framework under T1499.004, which covers "Endpoint Denial of Service" through resource exhaustion attacks. Organizations should have implemented proper input validation, decompression size limits, and resource monitoring to prevent this class of attacks. The fix involved updating to Symantec Encryption Desktop 10.3.2 MP3 and later versions, which included enhanced decompression handling and resource consumption controls. Security teams should have also implemented email filtering rules and monitoring for unusual decompression patterns to detect potential exploitation attempts.

Reservation

05/09/2014

Disclosure

08/21/2014

Moderation

accepted

Entry

VDB-67397

CPE

ready

EPSS

0.01072

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!