Update Protection against Multiple Trend Micro ServerProtect Buffer Overflow Vulnerabilities

Vulnerability
Protection

Check Point Reference:	CPAI-2007-106
Date Published:
Severity:
Source:	Secunia Advisory: SA26523
Industry Reference(s):	CVE-2007-4218
Protection Provided by:	VPN-1 NGX R65 NGX R62 NGX R61 NGX R60 NG with Application Intelligence R55 VSX NGX InterSpect NGX 2.0 and 1.x Connectra NGX R62 NGX R61
Who is Vulnerable? Trend Micro ServerProtect for Windows 5.58 Build 1176 Trend Micro ServerProtect for Windows 5.58 Patch3 and prior
Vulnerability Description Trend Micro ServerProtect is prone to multiple buffer overflow vulnerabilities. Trend Micro ServerProtect is a centrally managed virus protection console for enterprise-class servers. A remote attacker may exploit these issues to execute arbitrary code on a vulnerable system via a specially crafted RPC request.

Update/Patch Available Download Security Patch 4 - Build 1185: Trend Micro
Vulnerability Details The vulnerabilities are due to several boundary errors in various functions of Trend Micro ServerProtect that fails to properly handle malformed RPC requests. A remote attacker could specially craft a malicious RPC request that will cause the system to execute arbitrary commands.

Protection Overview
By enabling this protection, SmartDefense will detect and block malformed RPC requests sent to Trend Micro ServerProtect.

In order for the protection to be activated, update your VPN-1/InterSpect/Connectra product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

Additional Information
The update released on September 18, 2007 includes the following protections:

Squid Proxy TRACE Request Denial of Service Vulnerability (CPAI-2007-084)
Microsoft Exchange Server iCal Denial of Service Vulnerability (MS07-026) CPAI-2007-081
Microsoft Exchange SMTP MIME Vulnerability (MS07-026) CPAI-2007-094
Yahoo! Widgets YDP ActiveX Control Buffer Overflow Vulnerability (CPAI-2007-105)
Multiple Trend Micro ServerProtect Buffer Overflow Vulnerabilities (CPAI-2007-106)

VPN-1 NGX R65 & R62

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > Trend Micro ServerProtect Protections > Block Trend Micro ServerProtect Buffer Overflow.

2. In the configuration pane, under Settings > Mode, check Active.

3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Trend Micro ServerProtect Protection Violation
Attack Information:
SetPagerNotifyConfig vulnerability detected
RPCFN_CopyAUSrc vulnerability detected
SPNT Engine vulnerability detected
SetSvcImpersonateUser vulnerability detected
RPCFN Engine vulnerability detected

VPN-1 NGX R61 & R60

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Trend Micro ServerProtect Protections.
2. Select the following:

Block Trend Micro ServerProtect Buffer Overflow

3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

VPN-1 NG with Application Intelligence R55

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Trend Micro ServerProtect Protections.
2. Select the following:

Block Trend Micro ServerProtect Buffer Overflow

3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log rules #99921, #99922, #99923, #99924 and #99925 for SetPagerNotifyConfig vulnerability, RPCFN_CopyAUSrc vulnerability, SPNT Engine vulnerability, SetSvcImpersonateUser vulnerability and RPCFN Engine vulnerability accordingly.

VPN-1 VSX NGX

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Trend Micro ServerProtect Protections.
2. Select the following:

Block Trend Micro ServerProtect Buffer Overflow

3. Install policy on all modules.

InterSpect NGX

How Can I Protect My Network?
1. In the lefthand menu, click Profiles > Default Protection > SmartDefense. The SmartDefense page opens.
2. In the SmartDefense tree, click Application Intelligence > Trend Micro ServerProtect Protections and enable the following protection:

Block Trend Micro ServerProtect Buffer Overflow

3. Install security policy.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

InterSpect 2.0

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Trend Micro ServerProtect Protections and enable the following protection:

Block Trend Micro ServerProtect Buffer Overflow

2. Install security policy.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Connectra NGX R62 & R61

How Can I Protect My Network?
1. In the left-hand menu, click Security > SmartDefense > Application Intelligence.
2. In the Dynamic Attacks pane, select the following:

Block Trend Micro ServerProtect Buffer Overflow

3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Legal Notice for Threat Center Advisories