Update Protection against Novell eDirectory 'evtFilteredMonitorEventsRequest' Vulnerability

Overview
Details
Protection

Check Point Reference:	CPAI-2006-137
Date Published:
Severity:
Last Updated:
Source:	FrSIRT/ADV-2006-4142
Industry Reference(s):	CVE-2006-4510
Protection Provided by:	VPN-1 NGX R62 NGX R61 NGX R60 NG with Application Intelligence R55W NG with Application Intelligence R55 VSX NGX InterSpect NGX 2.0 and 1.x
Who is Vulnerable? Novell eDirectory version 8.8.1 and prior
Vulnerability Description A remote code execution has been detected in the LDAP service of Novell eDirectory. Novell's eDirectory is a directory service software product for centrally managing access to resources on multiple servers and computers within a network. A remote attacker can exploit this vulnerability to execute arbitrary code on a target system.

Update/Patch Available
Apply patches:

Novell eDirectory Post 8.8.1 FTF1 for NW and Win32 :
http://support.novell.com/servlet/filedownload/sec/pub/edir881ftf_1.exe/

Novell eDirectory Post 8.8.1 FTF1 for Linux\Unix :
http://support.novell.com/servlet/filedownload/sec/pub/edir881ftf_1.tgz/

Vulnerability Details
The flaw is due to an invalid free in the 'evtFilteredMonitorEventsRequest' function when processing crafted LDAP messages. An attacker can exploit this vulnerability by sending a specially crafted request to a target server. Successful exploitation could allow a remote attacker to crash the server or execute arbitrary code on an affected system.

Protection Overview
The protection blocks specially crafted LDAP requests that may lead to a denial of service condition (DoS) on the affected LDAP server.

In order for the protection to be activated, update your VPN-1/InterSpect product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.

Upon update, users are protected against this vulnerability if the LDAP protection for blocking multiple remote denial of service vulnerabilities addressed in the Protection section of CPAI-2006-039 has been applied.

To configure the defense, select your product from the list below and follow the related protection steps.

Additional Information
The Update released on November 30, 2006 includes the following protections:

Novell eDirectory 'evtFilteredMonitorEventsRequest' Vulnerability (CPAI-2006-137)
Microsoft NetWare Client Service Remote Code Execution Vulnerability (MS06-066) - CPAI-2006-138
Microsoft Workstation Service Buffer Overflow Vulnerability (MS06-070) - CPAI-2006-139
Microsoft XML Remote Code Execution Vulnerability (MS06-071) - CPAI-2006-140
Visual Studio WMI Code Execution Vulnerability (CPAI-2006-141)
Microsoft Agent Remote Code Execution Vulnerability (MS06-068) - CPAI-32006-142
Block MSN Messenger Live 8 (CPAI-2006-143)
AOL Nullsoft Winamp Ultravox Heap Overflow Vulnerability (CPAI-2006-144)

VPN-1 NGX R62

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > LDAP > LDAP Server Remote DoS.
2. In the LDAP Server Remote DoS configuration pane, under LDAP Server Remote DoS settings > Mode, check Active.

3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: LDAP Protections
Attack Information: Novell eDirectory DoS attempt detected

VPN-1 NGX R61, R60 & VPN-1 NG with Application Intelligence R55W