Preemptive Protection against MailEnable IMAP Service Remote Code Execution Vulnerability
| Check Point Reference: | CPAI-2006-150 | |
| Date Published: | ||
| Severity: | ||
| Last Updated: | ||
| Source: | Secunia Research: 20061211 | |
| Industry Reference(s): | CVE-2006-6423 | |
| Protection Provided by: |
VPN-1
|
|
| Who is Vulnerable? MailEnable Enterprise Edition versions 1.1 through 1.41 MailEnable Enterprise Edition versions 2.0 through 2.35 MailEnable Professional Edition versions 1.6 through 1.84 MailEnable Professional Edition versions 2.0 through 2.35 | ||
| Vulnerability Description A buffer overflow vulnerability exists in MailEnable IMAP service. MailEnable is an email server suite for Microsoft Windows. Several IMAP servers contain buffer overflow errors in the way they handle IMAP commands. By carefully crafting an overly long LOGIN command, an attacker can trigger a buffer overflow which may lead to an application crash or arbitrary code execution. |
||
|
Update/Patch Available Apply hotfix: http://www.mailenable.com/hotfix/ME-10025.EXE |
|
|
Vulnerability Details This flaw is due to a buffer overflow error when processing an overly long LOGIN command. A remote attacker can exploit this vulnerability via a specially crafted IMAP command with an overly long argument. Successful exploitation may allow an attacker to create a denial of service condition or execute arbitrary code on a affected system. |
Protection Overview
Overly long IMAP commands (LOGIN) may cause a buffer overflow on an affected IMAP server. The protection addresses this issue by validating the length of the LOGIN command and blocking it if it exceeds a certain length. No update is required to address this vulnerability.
Users are protected against this vulnerability if the IMAP protection for blocking malformed LOGIN command addressed in the Protection section of CPAI-2006-098 has been applied.
To configure the defense, select your product from the list below and follow the related protection steps.
VPN-1 NGX R62
How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > Mail > Malformed IMAP Commands.
2. Select the following:
Block Long Token in LOGIN Command
3. In the configuration pane, under Settings > Mode, check Active.
4. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: IMAP Protocol Violation
Attack Information: Long Token in LOGIN Command
VPN-1 NGX R61, R60 & VPN-1 NG with Application Intelligence R55W
How Can I Protect My Network?
1. In the Smartdefense tree, click Application Intelligence > Mail > Malformed IMAP Commands and enable the following protection:
Block Long Token in LOGIN Command
2. Install security policy.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: IMAP Protocol Violation
Attack Information: Long Token in LOGIN Command
VPN-1 NG with Application Intelligence R55
How Can I Protect My Network?
1. Click Application Intelligence > Mail > Malformed IMAP Commands and enable the following protection:
Block Long Token in LOGIN Command
2. Install security policy.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log rule number 99148.
VPN-1 VSX NGX
How Can I Protect My Network?
1. Click Application Intelligence > Mail > Malformed IMAP Commands and enable the following protection:
Block Long Token in LOGIN Command
2. Install security policy.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log rule number 99148.
InterSpect NGX
How Can I Protect My Network?
1. In the lefthand menu, click Profiles > Default Protection > SmartDefense. The SmartDefense page opens.
2. In the SmartDefense tree, click Application Intelligence > Mail > Malformed IMAP Commands and enable the following protection:
Block Long Token in LOGIN Command
3. Install security policy.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: IMAP Protocol Violation
Attack Information: Long Token in LOGIN Command
InterSpect 2.0
How Can I Protect My Network?
1. Click Application Intelligence > Mail > Malformed IMAP Commands and enable the following protection:
Block Long Token in LOGIN Command
2. Install security policy.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: IMAP Protocol Violation
Attack Information: Long Token in LOGIN Command
Connectra NGX R61
How Can I Protect My Network?
1. In the left-hand menu, click Security > SmartDefense > Application Intelligence.
2. In the Dynamic Attacks pane, click the following:
Block Long Token in LOGIN Command
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
In case of an attack, the following log entries will be displayed:
Attack Name: IMAP Protocol Violation
Attack Information: Long Token in LOGIN Command