Preemptive Protection against MailEnable IMAP Service Buffer Overflow Vulnerability
| Check Point Reference: | CPAI-2006-146 | |
| Date Published: | ||
| Severity: | ||
| Last Updated: | ||
| Source: | FrSIRT/ADV-2006-4778 Secunia Advisory: SA23080 |
|
| Industry Reference(s): | CVE-2006-6239 | |
| Protection Provided by: |
VPN-1
|
|
| Who is Vulnerable? MailEnable Enterprise 1.40 MailEnable Enterprise 2.33 MailEnable Professional 1.83 MailEnable Professional 2.33 | ||
| Vulnerability Description A buffer overflow vulnerability exists in MailEnable IMAP service. MailEnable is an email server suite for Microsoft Windows. Several IMAP servers contain buffer overflow errors in the way they handle IMAP commands. By carefully crafting an overly long SELECT/EXAMINE command, an attacker can trigger a buffer overflow which may lead to an application crash or arbitrary code execution. |
||
|
Update/Patch Available Apply hotfix: http://www.mailenable.com/hotfix/ME-10021.ZIP |
|
|
Vulnerability Details This flaw is due to a buffer overflow error when processing overly long EXAMINE and SELECT IMAP commands. A remote attacker can exploit this vulnerability via an overly long argument. Successful exploitation may allow an attacker to create a denial of service condition or execute arbitrary code on a affected system. |
Protection Overview
Overly long IMAP commands (SELECT and EXAMINE) may cause a buffer overflow on an affected IMAP server. The protection addresses this issue by validating the length of the SELECT and EXAMINE commands and blocking these commands if they exceed a certain length. No update is required to address this vulnerability.
Users are protected against this vulnerability if the IMAP protections for blocking malformed SELECT and EXAMINE commands addressed in the Protection section of CPAI-2006-098 and CPAI-2006-046 have been applied.
To configure the defense, select your product from the list below and follow the related protection steps.
VPN-1 NGX R62
How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > Mail > Malformed IMAP Commands.
2. Select the following:
Block EXAMINE Command Buffer Overflow
Block SELECT Command Buffer Overflow
3. In the configuration pane, under Settings > Mode, check Active.
4. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: IMAP Protocol Violation
Attack Information:
EXAMINE Command Buffer Overflow
SELECT Command Buffer Overflow
VPN-1 NGX R61, R60 & VPN-1 NG with Application Intelligence R55W
How Can I Protect My Network?
1. In the Smartdefense tree, click Application Intelligence > Mail > Malformed IMAP Commands and enable the following protections:
Block EXAMINE Command Buffer Overflow
Block SELECT Command Buffer Overflow
2. Install security policy.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: IMAP Protocol Violation
Attack Information:
EXAMINE Command Buffer Overflow
SELECT Command Buffer Overflow
VPN-1 NG with Application Intelligence R55
How Can I Protect My Network?
1. Click Application Intelligence > Mail > Malformed IMAP Commands and enable the following protections:
Block EXAMINE Command Buffer Overflow
Block SELECT Command Buffer Overflow
2. Install security policy.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log rules 99144 and 99149 for malformed EXAMINE and SELECT commands accordingly.
VPN-1 VSX NGX
How Can I Protect My Network?
1. Click Application Intelligence > Mail > Malformed IMAP Commands and enable the following protections:
Block EXAMINE Command Buffer Overflow
Block SELECT Command Buffer Overflow
2. Install security policy.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log rules 99144 and 99149 for malformed EXAMINE and SELECT commands accordingly.
InterSpect NGX
How Can I Protect My Network?
1. In the lefthand menu, click Profiles > Default Protection > SmartDefense. The SmartDefense page opens.
2. In the SmartDefense tree, click Application Intelligence > Mail > Malformed IMAP Commands and enable the following protections:
Block EXAMINE Command Buffer Overflow
Block SELECT Command Buffer Overflow
3. Install security policy.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: IMAP Protocol Violation
Attack Information:
EXAMINE Command Buffer Overflow
SELECT Command Buffer Overflow
InterSpect 2.0
How Can I Protect My Network?
1. Click Application Intelligence > Mail > Malformed IMAP Commands and enable the following protections:
Block EXAMINE Command Buffer Overflow
Block SELECT Command Buffer Overflow
2. Install security policy.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: IMAP Protocol Violation
Attack Information:
EXAMINE Command Buffer Overflow
SELECT Command Buffer Overflow
Connectra NGX R61
How Can I Protect My Network?
1. In the left-hand menu, click Security > SmartDefense > Application Intelligence.
2. In the Dynamic Attacks pane, click the following:
Block EXAMINE Command Buffer Overflow
Block SELECT Command Buffer Overflow
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
In case of an attack, the following log entries will be displayed:
Attack Name: IMAP Protocol Violation
Attack Information:
EXAMINE Command Buffer Overflow
SELECT Command Buffer Overflow