Preemptive Protection against Ipswitch IMail Server LOGIN Command Buffer Overflow Vulnerability
| Check Point Reference: | CPAI-2007-088 | |
| Date Published: | ||
| Severity: | ||
| Source: | SecurityFocus: 24962 | |
| Industry Reference(s): | CVE-2007-2795 | |
| Protection Provided by: |
VPN-1
|
|
| Who is Vulnerable? Ipswitch IMail 2006 prior to 2006.21 Ipswitch IMail Plus 2006 prior to 2006.21 Ipswitch IMail Premium 2006 prior to 2006.21 | ||
| Vulnerability Description A buffer overflow vulnerability exists in Ipswitch IMail Server IMAP component. Ipswitch IMail server is a messaging service suite that supports numerous mail exchanging protocols, including the Internet Message Access Protocol (IMAP). IMAP is a standard protocol for accessing e-mail from a local server that provides management of received messages on a remote server. Several mail servers contain buffer overflow errors in the way they handle commands. A remote attacker can exploit this issue to trigger a buffer overflow which may lead to an application crash and to arbitrary code execution. |
||
|
Vulnerability Details The vulnerability is due to a boundary error within the Imailsec.dll library when processing overly long IMAP LOGIN commands. A remote attacker can exploit this flaw via a specially crafted LOGIN command. Successful exploitation may allow an attacker to create a denial of service condition or execute arbitrary code on an affected system. |
Protection Overview
Overly long IMAP commands may cause a buffer overflow on an affected server. The protection addresses this issue by validating the length of the commands and blocking them if they exceed a certain length. No update is required to address this vulnerability.
Users are protected against this vulnerability if the IMAP protection for blocking malformed commands addressed in the Protection section of SBP-2007-01 has been applied.
To configure the defense, select your product from the list below and follow the related protection steps.
VPN-1 NGX R65 & R62
How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > Mail > Malformed IMAP Commands > Block Long IMAP Commands.
2. In the configuration pane, under Settings > Mode, check Active.
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: IMAP Protocol Violation
Attack Information: LOGIN command buffer overflow
VPN-1 NGX R61, R60 & VPN-1 NG with Application Intelligence R55W
How Can I Protect My Network?
1. In the Smartdefense tree, click Application Intelligence > Mail > Malformed IMAP Commands.
2. In the configuration pane select the following protection:
Block Long IMAP Commands
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: IMAP Protocol Violation
Attack Information: LOGIN command buffer overflow
VPN-1 NG with Application Intelligence R55
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Mail > Malformed IMAP Commands.
2. In the configuration pane select the following protection:
Block Long IMAP Commands
3. Install security policy.
How Do I Know if My Network is Under Attack?
Rule #99150 will appear on the SmartView Tracker.
VPN-1 VSX NGX
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Mail > Malformed IMAP Commands.
2. In the configuration pane select the following protection:
Block Long IMAP Commands
3. Install security policy.
How Do I Know if My Network is Under Attack?
Rule #99150 will appear on the SmartView Tracker.
InterSpect NGX
How Can I Protect My Network?
1. In the lefthand menu, click Profiles > Default Protection > SmartDefense. The SmartDefense page opens.
2. In the SmartDefense tree, click Application Intelligence > Mail > Malformed IMAP Commands.
3. Select the following protection:
Block Long IMAP Commands
4. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: IMAP Protocol Violation
Attack Information: LOGIN command buffer overflow
InterSpect 2.0
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Mail > Malformed IMAP Commands.
2. Select the following protection:
Block Long IMAP Commands
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: IMAP Protocol Violation
Attack Information: LOGIN command buffer overflow
Connectra NGX R62 & R61
How Can I Protect My Network?
1. In the left-hand menu, click Security > SmartDefense > Application Intelligence.
2. In the Dynamic Attacks pane, select the following:
Block Long IMAP Commands
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
In case of an attack, the following log entries will be displayed:
Attack Name: IMAP Protocol Violation
Attack Information: LOGIN command buffer overflow