Update Protection against Multiple Vendors' LDAP Server Remote Denial of Service Vulnerabilities
| Check Point Reference: | CPAI-2006-039 | |
| Date Published: | ||
| Severity: | ||
| Last Updated: | ||
| Source: | FrSIRT/ADV-2006-0537 SecurityTracker: 1015604 Gleg Advisory Secunia Advisory: SA18818 Secunia Advisory: SA18738 |
|
| Industry Reference(s): | CVE-2006-0717
CVE-2006-0468 CVE-2006-0647 |
|
| Protection Provided by: |
VPN-1
|
|
| Who is Vulnerable? IBM Tivoli Directory Server 4.x, 5.x, 6.x IBM Lotus Domino 7.x Sun Java System Directory Server 5.x Sun ONE Directory Server 5.x CommuniGate Pro 5.x Isode M-Vault Server 11.x | ||
| Vulnerability Description Several LDAP servers from several vendors are vulnerable to a denial of service (DoS) condition. Vulnerable servers include IBM Tivoli Directory Server, Sun Java Systems Directory Server, IBM Lotus Domino, CommuniGate Pro Core Server and Isode M-Vault Server. The vulnerabilities can be exploited by remote attackers to crash the service or execute code via a specially crafted LDAP request to an affected LDAP server. |
||
|
Vulnerability Details Sun Java System Directory Server: A vulnerability was reported in Sun Java System Directory Server. A remote attacker can send specially crafted data to the LDAP port on the target system to cause the LDAP server to crash. IBM Tivoli Directory Server: A vulnerability has been identified in IBM Tivoli Directory Server, due to an error in the LDAP service that fails to properly handle malformed requests sent to port 389/TCP. A remote attacker could cause a denial of service by sending a specially crafted LDAP request to a vulnerable system. IBM Lotus Domino LDAP Server: A vulnerability was detected in Lotus Domino, which can be exploited by attackers to cause a Denial of Service condition. The vulnerability is caused due to an error in the LDAP server within the handling of certain requests. The service can be crashed via a specially-crafted request sent to port 389/tcp. CommuniGate Pro Core Server: Multiple vulnerabilities have been detetced in the LDAP component of CommuniGate Pro. The vulnerabilities could be used by a remote unauthenticated attacker to crash the server or in the worst case to execute arbitrary code. Isode M-Vault Server: A vulnerability was reported in Isode M-Vault Server, which can be exploited by attackers to cause a DoS and potentially compromise a vulnerable system. The vulnerability is caused due to an error in the LDAP server within the handling of certain requests. A remote attacker can trigger this via a specially-crafted request sent to port 389/tcp. |
Protection Overview
The protection blocks specially crafted LDAP requests that may lead to a denial of service condition (DoS) on the affected LDAP server.
To configure the defense, select your product from the list below and follow the related protection steps.
Additional Information
All in all, the update includes the following protections:
- MS-RPC Protections Enforced on TCP Ports (CPSA-2006-03)
- Oracle Reports/Forms Vulnerability (CPAI-2006-037)
- IPSwitch WhatUp Professional DoS (CPAI-2006-038)
- Multiple Products LDAP Vulnerabilities (CPAI-2006-039)
- Multiple Products FTP Servers Vulnerabilities (CPAI-2006-040)
VPN-1 NGX R61
How Can I Protect My Network?
1. Update your SmartDefense: Click the SmartDefense Services tab, In the left pane from the drop-down list, click Download Updates and then click the Online Update button.
2. In the SmartDefense tree, click Application Intelligence > LDAP and enable LDAP Server Remote DoS. 
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: LDAP Protections
Attack Information:
LDAP Server Remote DoS Exploit Attempt Detected
Novell eDirectory DoS attempt detected
VPN-1 NGX R60, VPN-1 NG with Application Intelligence R55W
How Can I Protect My Network?
1. Update your SmartDefense by clicking Online Update in the SmartDashboard General window.
2. In the SmartDefense tree, click Application Intelligence > LDAP and enable LDAP Server Remote DoS.
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: LDAP Protections
Attack Information:
LDAP Server Remote DoS Exploit Attempt Detected
Novell eDirectory DoS attempt detected
VPN-1 NG with Application Intelligence R55/R54, VSX
How Can I Protect My Network?
1. Update your SmartDefense by clicking Update Now in the SmartDashboard General window.
2. In the SmartDefense tree, click Application Intelligence > LDAP and enable LDAP Server Remote DoS.
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log rule #99389 appearing on the SmartView Tracker.
InterSpect NGX
How Can I Protect My Network?
1. Update your SmartDefense: In the left pane from the drop-down list, select Profiles > SmartDefense Service and click the Online Update button.
2. In the left pane, select Profiles > Default Protection and select the SmartDefense page of the profile.
3.In the SmartDefense tree, click Application Intelligence > LDAP and enable LDAP Server Remote DoS.
4. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: LDAP Protections
Attack Information:
LDAP Server Remote DoS Exploit Attempt Detected
Novell eDirectory DoS attempt detected
InterSpect 2.0
How Can I Protect My Network?
1. Update SmartDefense by clicking Online Update in the SmartDashboard General window.
2. In the SmartDefense tree, click Application Intelligence > LDAP and enable LDAP Server Remote DoS.
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: LDAP Protections
Attack Information:
LDAP Server Remote DoS Exploit Attempt Detected
Novell eDirectory DoS attempt detected