Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against Microsoft Exchange Vulnerability (MS06-019)

Subscribe

Check Point Reference: CPAI-2006-042
Date Published:
Severity:
Last Updated:
Source: Microsoft Security Bulletin MS06-019
Industry Reference(s): CVE-2006-0027
Protection Provided by: VPN-1
  • NGX R61
  • NGX R60
  • NG with Application Intelligence R55W
  • NG with Application Intelligence R55
  • NG with Application Intelligence R54
Who is Vulnerable?
Microsoft Exchange Server 2000 with the Exchange 2000 Post-Service Pack 3 Update Rollup of August 2004(870540)
Microsoft Exchange Server 2003 Service pack 1 and Service Pack 2
Vulnerability Description
A vulnerability exists in Microsoft Exchange Server that could allow an attacker to take complete control of the affected system. To exploit the vulnerability, an attacker would have to construct a specially crafted message that could potentially allow remote code execution when an Exchange Server processes an email with certain MIME vCal or iCal properties. vCal and iCal are  MIME content types used by Microsoft Exchange Server and email clients when sending and exchanging information related to calendars and scheduling.
Update/Patch Available
Apply patches:
Microsoft Security Bulletin MS06-019
Vulnerability Details
The vulnerability specifically exists in the EXCDO and CDOEX functionality provided with Exchange server. Collaboration Data Objects for Exchange (CDOEX) and Exchange Collaboration Data Objects (EXCDO) are interfaces that allow for certain types of information to be processed in the Exchange store.These interfaces do not properly process certain iCAL and vCAL properties, which are MIME content types provided in email messages.

Protection Overview
By enabling the protection, SMTP connections containing the .ics extension will be blocked.

To configure the defense, select your product from the list below and follow the related protection steps.

VPN-1 (all versions from R54)

How Can I Protect My Network?
1. Create a new SMTP resource and give it a name (Manage > Resources).
2. In the Action2 tab, enter the following:
In the Strip MIME of Type, enter

text/calendar

In the Strip file by name, enter

{*.ics, *.vcs}



3.Place the resource in the rulebase.
4. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Information: reason: Forbidden MIME attachment stripped
Information: reason: Content Security - access denied