Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Preemptive Protection against Mercury Mail IMAP Buffer Overflow Vulnerability

Subscribe

Check Point Reference: CPAI-2007-042
Date Published:
Severity:
Last Updated:
Source: Secunia Advisory: SA13348
Industry Reference(s):

CVE-2004-1211
Protection Provided by: VPN-1
  • NGX R65
  • NGX R62
  • NGX R61
  • NGX R60
  • NG with Application Intelligence R55W
  • NG with Application Intelligence R55
VSX
  • NGX
InterSpect
  • NGX
  • 2.0 and 1.x
Connectra
  • NGX R62
  • NGX R61
Who is Vulnerable?
Mercury Mail version 4.01 and Prior 
Vulnerability Description
Multiple buffer overflow vulnerabilities exist in Mercury Mail Transport System. Mercury Mail Transport System is a free mail server program that supports various email access and exchange protocols, including the Internet Message Access Protocol (IMAP). IMAP is a standard protocol for accessing e-mail from a local server that provides management of received messages on a remote server. Several mail servers contain buffer overflow errors in the way they handle commands. A remote attacker can exploit this issue to trigger a buffer overflow which may lead to an application crash and to arbitrary code execution.
Update/Patch Available
Apply patch:
ftp://ftp.usm.maine.edu/pegasus/mercury32/m32-401b.zip
Vulnerability Details
The vulnerability is due to a buffer overflow error when processing malformed IMAP commands. A remote attacker can exploit this flaw via a specially crafted IMAP command with an overly long string in its parameter. Successful exploitation may allow an attacker to create a denial of service condition or execute arbitrary code on an affected system.

Protection Overview
Overly long IMAP commands may cause a buffer overflow on an affected server. The protection addresses this issue by validating the length of the commands and blocking them if they exceed a certain length. No update is required to address this vulnerability.

Users are protected against this vulnerability if the IMAP protection for blocking malformed commands addressed in the Protection section of SBP-2007-01 has been applied.

To configure the defense, select your product from the list below and follow the related protection steps.

VPN-1 NGX R65 & R62

How Can I Protect My Network?
Users of the versions mentioned above are protected against the vulnerability if the protection outlined in SBP-2007-01 has been applied.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: IMAP Protocol Violation
Attack Information:
Overly long IMAP command detected
EXAMINE command buffer overflow
SUBSCRIBE command buffer overflow
STATUS command buffer overflow
APPEND command buffer overflow
CHECK command buffer overflow
CLOSE command buffer overflow
EXPUNGE command buffer overflow
FETCH command buffer overflow
DELETE command buffer overflow
LIST command buffer overflow
SEARCH command buffer overflow
CREATE command buffer overflow
RENAME command buffer overflow
UNSUBSCRIBE command buffer overflow

VPN-1 NGX R61, R60 & VPN-1 NG with Application Intelligence R55W

How Can I Protect My Network?
Users of the versions mentioned above are protected against the vulnerability if the protection outlined in SBP-2007-01 has been applied.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: IMAP Protocol Violation
Attack Information:
Overly long IMAP command detected
EXAMINE command buffer overflow
SUBSCRIBE command buffer overflow
STATUS command buffer overflow
APPEND command buffer overflow
CHECK command buffer overflow
CLOSE command buffer overflow
EXPUNGE command buffer overflow
FETCH command buffer overflow
DELETE command buffer overflow
LIST command buffer overflow
SEARCH command buffer overflow
CREATE command buffer overflow
RENAME command buffer overflow
UNSUBSCRIBE command buffer overflow

VPN-1 NG with Application Intelligence R55

How Can I Protect My Network?
Users of the versions mentioned above are protected against the vulnerability if the protection outlined in SBP-2007-01 has been applied.

How Do I Know if My Network is Under Attack?
Rule #99150 will appear on the SmartView Tracker.

VPN-1 VSX NGX

How Can I Protect My Network?
Users of the versions mentioned above are protected against the vulnerability if the protection outlined in SBP-2007-01 has been applied.

How Do I Know if My Network is Under Attack?
Rule #99150 will appear on the SmartView Tracker.

InterSpect NGX

How Can I Protect My Network?
Users of the versions mentioned above are protected against the vulnerability if the protection outlined in SBP-2007-01 has been applied.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: IMAP Protocol Violation
Attack Information:
Overly long IMAP command detected
EXAMINE command buffer overflow
SUBSCRIBE command buffer overflow
STATUS command buffer overflow
APPEND command buffer overflow
CHECK command buffer overflow
CLOSE command buffer overflow
EXPUNGE command buffer overflow
FETCH command buffer overflow
DELETE command buffer overflow
LIST command buffer overflow
SEARCH command buffer overflow
CREATE command buffer overflow
RENAME command buffer overflow
UNSUBSCRIBE command buffer overflow

InterSpect 2.0

How Can I Protect My Network?
Users of the versions mentioned above are protected against the vulnerability if the protection outlined in SBP-2007-01 has been applied.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: IMAP Protocol Violation
Attack Information:
Overly long IMAP command detected
EXAMINE command buffer overflow
SUBSCRIBE command buffer overflow
STATUS command buffer overflow
APPEND command buffer overflow
CHECK command buffer overflow
CLOSE command buffer overflow
EXPUNGE command buffer overflow
FETCH command buffer overflow
DELETE command buffer overflow
LIST command buffer overflow
SEARCH command buffer overflow
CREATE command buffer overflow
RENAME command buffer overflow
UNSUBSCRIBE command buffer overflow

Connectra NGX R62 & R61

How Can I Protect My Network?
Users of the versions mentioned above are protected against the vulnerability if the protection outlined in SBP-2007-01 has been applied.

How Do I Know if My Network is Under Attack?
In case of an attack, the following log entries will be displayed:

Attack Name: IMAP Protocol Violation
Attack Information:
Overly long IMAP command detected
EXAMINE command buffer overflow
SUBSCRIBE command buffer overflow
STATUS command buffer overflow
APPEND command buffer overflow
CHECK command buffer overflow
CLOSE command buffer overflow
EXPUNGE command buffer overflow
FETCH command buffer overflow
DELETE command buffer overflow
LIST command buffer overflow
SEARCH command buffer overflow
CREATE command buffer overflow
RENAME command buffer overflow
UNSUBSCRIBE command buffer overflow