Update Protection against Zeus Web Server SSL2_Client_Hello Buffer Overflow

Vulnerability
Protection

Check Point Reference:	CPAI-2010-101
Date Published:
Severity:
Source:	Intevydis Blog
Industry Reference(s):	N/A
Protection Provided by:	IPS-1 IPS-1 IPS-1 NGX R65
Who is Vulnerable? Zeus Web Server 4.3r4
Vulnerability Description Zeus Web Server is a web server for Unix and Unix-like platforms. A buffer overflow was detected in Zeus Web Server SSL2 implementation (SSL2_CLIENT_HELLO).

Update/Patch Available The vulnerability was fixed in Zeus Server version 4.3r5: http://support.zeus.com/zws/news/2010
Vulnerability Details A SSL man-in-the-middle attack was detected in Zeus Web Server. The vulnerability affects all compliant SSL implementations.

Protection Overview
The protection detects and blocks SSL messages which are larger than 16K.

To configure the defense, select your product from the list below and follow the related protection steps.

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?

1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Network Security > SSL protection group.
3. Click SSL Message Length Compliance Failure (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?

Upon attack, the following entries will be logged:

Alert Name: SSL Protocol Parser
Description: SSL Message Length Compliance Failure

Legal Notice for Threat Center Advisories