Security Best Practice: POP3/IMAP Security

Vulnerability
Protection

Check Point Reference:	SBP-2006-18
Date Published:
Severity:
Source:	SmartDefense Research Center
Protection Provided by:	Security Gateway R70 VPN-1 NGX R65 NGX R62 VSX NGX R65
Who is Vulnerable? POP3 and IMAP mail servers
Vulnerability Description Post Office Protocol version 3 (POP3) and Internet Messaging Access Protocol version 4 (IMAP4) are electronic mail protocols used to retrieve messages stored in e-mail servers. There are several serious security limitations with these protocols that allow malicious attackers to compromise a remote server, gain full access rights or launch denial of service (DoS) attacks.

Vulnerability Details
POP3 and IMAP4 are both 'pull' protocols. To check for messages, a client (e.g. Outlook Express) connects to its mail server and using the different protocols (POP3 or IMAP4), logins to its mailbox and 'pulls' out its messages. POP3 allows the remote client to view, download, list and delete messages, while IMAP4 is more advanced in that it permits manipulation of remote message folders (mailboxes), in a way that is functionally equivalent to local mailboxes. IMAP4 also includes operations for creating, deleting, and renaming mailboxes; checking for new messages; permanently removing messages and more.

There are different attack vectors against POP3 and IMAP4 mail servers. A malicious attacker can create a remote code execution or denial of service condition by doing one of the following:
* Use overly long user name or password as input.
* Use binary characters in username or password as input.
* Use binary characters in different POP3 or IMAP4 commands.
* Send malformed, unknown commands to the server.

Protection Overview
IPS/SmartDefense offers options that enable limitations on email messages delivered to the network using POP3/IMAP protocols. These options make it possible to recognize and stop malicious behavior. For example, IPS/SmartDefense can enforce the length of a username and password (as done in a Buffer Overrun attack), the effect of which will prevent the use of a long string of characters that can potentially crash the machine.

IPS/SmartDefense can also prevent a situation in which the use of network resources is deliberately discontinued. It can limit the number of NOOP commands (that is, a no operation command) that may be used in a denial of service attack.

To configure the defense, select your product from the list below and follow the related protection steps.

Additional Information
CPSA-2004-04

Security Gateway R70

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Application Intelligence > Mail.
2. In the right pane, double-click the following protections:

POP3/IMAP Security

3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: POP3 policy violation
Attack Information:
Unknown or unallowed command
Username or password too long
Found a weak password
Too many no-effect commands

Attack Name: Format violation
Attack Information: Binary data in command line

Attack Name: IMAP policy violation
Attack Information:
Unknown or unallowed command
Username or password too long
Found a weak password
Too many no-effect commands

Attack Name: IMAP Format violation
Attack Information: Binary data in command line

VPN-1 NGX R65/R62 & VPN-1 VSX NGX R65

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > Mail > POP3/IMAP Security.
2. In the configuration pane, under Settings > Mode, check Active.
3. The protection can be applied either to all HTTP traffic or to selected web servers.
4. Install policy on all modules.

Legal Notice for Threat Center Advisories