Preemptive Protection against McAfee HTTP Server Buffer Overflow Vulnerability
| Check Point Reference: | CPAI-2006-132 | |
| Date Published: | ||
| Severity: | ||
| Last Updated: | ||
| Source: | FrSIRT/ADV-2006-3861 | |
| Industry Reference(s): | CVE-2006-5156 US-CERT VU#842452 |
|
| Protection Provided by: |
VPN-1
|
|
| Who is Vulnerable? McAfee ePolicy Orchestrator version 3.5.0 Patch 5 and prior McAfee ProtectionPilot version 1.1.1 Patch 2 and prior | ||
| Vulnerability Description McAfee ePolicy Orchestrator provides proactive defense against malicious threats and attacks. McAfee ProtectionPilot is a centralized system security manager designed specifically for businesses with up to 500 systems. A vulnerability has been reported in McAfee ePolicy Orchestrator and in McAfee ProtectionPilot. A remote attacker could exploit this vulnerability to deny service from legitimate users or to execute arbitrary code on an affected system. |
||
|
Update/Patch Available Upgrade to McAfee ePolicy Orchestrator 3.5 Patch 6 : http://download.nai.com/products/patches/ePO/v3.5/EPO3506.zip Upgrade to McAfee ProtectionPilot 1.1.1 Patch 3 : http://download.nai.com/products/patches/protectionpilot/v1.1.1/PRP1113.zip |
|
|
Vulnerability Details The vulnerability is due to a buffer overflow error in McAfee HTTP server that is used in McAfee products. The McAfee HTTP server fails to properly handle overly long 'source' headers. A remote attacker can trigger this vulnerability by sending a specially crafted HTTP packet with a long 'source' header to a vulnerable system. |
Protection Overview
The HTTP Format Sizes protection allows users to configure upper bounds to various HTTP header names. No update is required to address this vulnerability.
To configure the defense, select your product from the list below and follow the related protection steps.
VPN-1 NGX R62
How Can I Protect My Network?
1. In the SmartDefense tab, click Web Intelligence > HTTP Protocol Inspection > HTTP Format Sizes.
2. In the HTTP Format Sizes pane, under HTTP Format Sizes Settings > Mode, check Active.
3. Under Specific Headers Lengths, click Add. The Header Length Settings pane opens.
3. Enter the following information:
Header Name: Source
Header Max Length: 40
4. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Information: Illegal header format detected
VPN-1 NGX R61, R60 & VPN-1 NG with Application Intelligence R55W
How Can I Protect My Network?
1. In the Web Intelligence tree, click HTTP Protocol Inspection > HTTP Format Sizes. 
2. In the HTTP Format Sizes pane, under Specific Headers Lengths, click Add. The Header Length Settings pane opens.
3. Enter the following information:
Header Name: Source
Header Max Length: 40
4. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Information: Illegal header format detected
InterSpect NGX
How Can I Protect My Network?
1. In the left pane, select Profiles > Default Protection and select the Web Intelligence page of the profile.
2. In the Web Intelligence tree, click HTTP Protocol Inspection > HTTP Format Sizes.
3. In the HTTP Format Sizes pane, under Specific Headers Lengths, click Add. The Header Length Settings pane opens.
4. Enter the following information:
Header Name: Source
Header Max Length: 40
5. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Malformed HTTP
Attack Information: Illegal header format detected