Update Protection against Multiple Trend Micro ServerProtect Buffer Overflow Vulnerabilities
| Check Point Reference: | CPAI-2007-106 | |
| Date Published: | ||
| Severity: | ||
| Source: | Secunia Advisory: SA26523 | |
| Industry Reference(s): | CVE-2007-4218 | |
| Protection Provided by: |
VPN-1
|
|
| Who is Vulnerable? Trend Micro ServerProtect for Windows 5.58 Build 1176 Trend Micro ServerProtect for Windows 5.58 Patch3 and prior | ||
| Vulnerability Description Trend Micro ServerProtect is prone to multiple buffer overflow vulnerabilities. Trend Micro ServerProtect is a centrally managed virus protection console for enterprise-class servers. A remote attacker may exploit these issues to execute arbitrary code on a vulnerable system via a specially crafted RPC request. |
||
|
Update/Patch Available Download Security Patch 4 - Build 1185: Trend Micro |
|
|
Vulnerability Details The vulnerabilities are due to several boundary errors in various functions of Trend Micro ServerProtect that fails to properly handle malformed RPC requests. A remote attacker could specially craft a malicious RPC request that will cause the system to execute arbitrary commands. |
Protection Overview
By enabling this protection, SmartDefense will detect and block malformed RPC requests sent to Trend Micro ServerProtect.
In order for the protection to be activated, update your VPN-1/InterSpect/Connectra product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.
To configure the defense, select your product from the list below and follow the related protection steps.
Additional Information
The update released on September 18, 2007 includes the following protections:
Squid Proxy TRACE Request Denial of Service Vulnerability (CPAI-2007-084)
Microsoft Exchange Server iCal Denial of Service Vulnerability (MS07-026) CPAI-2007-081
Microsoft Exchange SMTP MIME Vulnerability (MS07-026) CPAI-2007-094
Yahoo! Widgets YDP ActiveX Control Buffer Overflow Vulnerability (CPAI-2007-105)
Multiple Trend Micro ServerProtect Buffer Overflow Vulnerabilities (CPAI-2007-106)
VPN-1 NGX R65 & R62
How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > Trend Micro ServerProtect Protections > Block Trend Micro ServerProtect Buffer Overflow. 
2. In the configuration pane, under Settings > Mode, check Active.
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Trend Micro ServerProtect Protection Violation
Attack Information:
SetPagerNotifyConfig vulnerability detected
RPCFN_CopyAUSrc vulnerability detected
SPNT Engine vulnerability detected
SetSvcImpersonateUser vulnerability detected
RPCFN Engine vulnerability detected
VPN-1 NGX R61 & R60
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Trend Micro ServerProtect Protections.
2. Select the following:
Block Trend Micro ServerProtect Buffer Overflow 
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Trend Micro ServerProtect Protection Violation
Attack Information:
SetPagerNotifyConfig vulnerability detected
RPCFN_CopyAUSrc vulnerability detected
SPNT Engine vulnerability detected
SetSvcImpersonateUser vulnerability detected
RPCFN Engine vulnerability detected
VPN-1 NG with Application Intelligence R55
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Trend Micro ServerProtect Protections.
2. Select the following:
Block Trend Micro ServerProtect Buffer Overflow
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log rules #99921, #99922, #99923, #99924 and #99925 for SetPagerNotifyConfig vulnerability, RPCFN_CopyAUSrc vulnerability, SPNT Engine vulnerability, SetSvcImpersonateUser vulnerability and RPCFN Engine vulnerability accordingly.
VPN-1 VSX NGX
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Trend Micro ServerProtect Protections.
2. Select the following:
Block Trend Micro ServerProtect Buffer Overflow
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log rules #99921, #99922, #99923, #99924 and #99925 for SetPagerNotifyConfig vulnerability, RPCFN_CopyAUSrc vulnerability, SPNT Engine vulnerability, SetSvcImpersonateUser vulnerability and RPCFN Engine vulnerability accordingly.
InterSpect NGX
How Can I Protect My Network? Block Trend Micro ServerProtect Buffer Overflow
1. In the lefthand menu, click Profiles > Default Protection > SmartDefense. The SmartDefense page opens.
2. In the SmartDefense tree, click Application Intelligence > Trend Micro ServerProtect Protections and enable the following protection:
3. Install security policy.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Trend Micro ServerProtect Protection Violation
Attack Information:
SetPagerNotifyConfig vulnerability detected
RPCFN_CopyAUSrc vulnerability detected
SPNT Engine vulnerability detected
SetSvcImpersonateUser vulnerability detected
RPCFN Engine vulnerability detected
InterSpect 2.0
How Can I Protect My Network? Block Trend Micro ServerProtect Buffer Overflow 2. Install security policy.
1. In the SmartDefense tree, click Application Intelligence > Trend Micro ServerProtect Protections and enable the following protection:
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Trend Micro ServerProtect Protection Violation
Attack Information:
SetPagerNotifyConfig vulnerability detected
RPCFN_CopyAUSrc vulnerability detected
SPNT Engine vulnerability detected
SetSvcImpersonateUser vulnerability detected
RPCFN Engine vulnerability detected
Connectra NGX R62 & R61
How Can I Protect My Network?
1. In the left-hand menu, click Security > SmartDefense > Application Intelligence.
2. In the Dynamic Attacks pane, select the following:
Block Trend Micro ServerProtect Buffer Overflow
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:
Attack Name: Trend Micro ServerProtect Protection Violation
Attack Information:
SetPagerNotifyConfig vulnerability detected
RPCFN_CopyAUSrc vulnerability detected
SPNT Engine vulnerability detected
SetSvcImpersonateUser vulnerability detected
RPCFN Engine vulnerability detected