Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Preemptive Protection against ClamAV Mail Filter Extension Code Execution Vulnerability

Subscribe

Check Point Reference: CPAI-2007-108
Date Published:
Severity:
Source: Secunia Advisory: SA26530
Industry Reference(s): CVE-2007-4560
Protection Provided by: VPN-1
  • NGX R65
  • NGX R62
  • NGX R61
  • NGX R60
  • NG with Application Intelligence R55
Who is Vulnerable?
ClamAV Project Clam AntiVirus prior to 0.91.2
Vulnerability Description
A code execution vulnerability has been reported in ClamAV AntiVirus product. Clam AntiVirus is an open source anti-virus toolkit that provides e-mail scanning on mail gateways. A remote attacker could exploit this issue to execute commands on an affected system.
Update/Patch Available
Update the Clam AntiVirus to version 0.91.2:
Clam AntiVirus
Vulnerability Details
The vulnerability is due to an error in Sendmail, the mail transfer agent in ClamAV, which fails to properly handle malformed recipient addresses extracted from e-mail messages. An attacker can trigger this vulnerability via a specially crafted e-mail massage only when ClamAV-milter "black hole" mode is activated. Successful exploitation may result in execution of arbitrary code on the vulnerably system.

Protection Overview
By enabling this protection, SmartDefense will detect and block vulnerable SMTP mail messages. No update is required to address this vulnerability.

To configure the defense, select your product from the list below and follow the related protection steps.

VPN-1 NGX R65, R62, R61, R60 & VPN-1 NG with Application Intelligence R55

How Can I Protect My Network?
1. Define an SMTP Resource:
I. In the toolbar, go to Manage > Resources. A "Resources" window pops up.
II. Click New > SMTP. An "SMTP Resource Properties" window pops up.
III. Choose a name for the resource and click the Match tab.
IV. In the Recipient field type *&* and click OK. Close the "Resources" window.

2. In the Security tab, add a new rule.
I. Under Service field, right click the value field > Add With Resource, and choose the service SMTP. Select the resource you previously defined from the box in the "Resource" section. Click OK.
II. Under Action field, right click the value field > Reject / Drop.
III. Configure the rest of the rule fields in accordance to your network policy.

3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Agent: mail server
from: sender@source.com
to: recipient@dest.com
Reason: Content Security - access denied