Update Protection against Trend Micro ServerProtect Buffer Overflow Vulnerabilities
| Check Point Reference: | CPAI-2007-047 | |
| Date Published: | ||
| Severity: | ||
| Last Updated: | ||
| Source: | Secunia Advisory: SA24243 | |
| Industry Reference(s): | CVE-2007-1070 | |
| Protection Provided by: |
VPN-1
|
|
| Who is Vulnerable? Trend Micro ServerProtect for Windows version 5.58 Trend Micro ServerProtect for EMC version 5.58 Trend Micro ServerProtect for Network Appliance Filer version 5.61 Trend Micro ServerProtect for Network Appliance Filer version 5.62 | ||
| Vulnerability Description Trend Micro ServerProtect is prone to multiple buffer overflow vulnerabilities. Trend Micro ServerProtect is a centrally managed virus protection console for enterprise-class servers. A remote attacker may exploit this issue to execute arbitrary code on a vulnerable system via a specially crafted RPC request. |
||
|
Update/Patch Available Apply patch: Trend Micro |
|
|
Vulnerability Details The vulnerabilities are due to several boundary errors in various functions of Trend Micro ServerProtect that fails to properly handle malformed RPC requests. A remote attacker could specially craft a malicious RPC request that will cause the system to execute arbitrary commands. |
Protection Overview
By enabling this protection, SmartDefense will detect and block malformed RPC requests sent to Trend Micro ServerProtect over TCP port 5168.
In order for the protection to be activated, update your VPN-1/InterSpect/Connectra product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.
To configure the defense, select your product from the list below and follow the related protection steps.
Additional Information
The Update released on April 15, 2007 includes the following protections:
Symantec Veritas NetBackup Code Execution Vulnerability (CPAI-2007-045)
Oracle ORADC ActiveX Control Code Execution Vulnerability (CPAI-2007-046)
Trend Micro ServerProtect Buffer Overflow Vulnerabilities (CPAI-2007-047)
Novell Netmail WebAdmin Buffer Overflow Vulnerability (CPAI-2007-048)
Novell NetMail IMAP Verb Literal Buffer Overflow Vulnerability (CPAI-2007-049)
Microsoft Windows Workstation Service Vulnerability (CPAI-2007-050)
Trend Micro OfficeScan ActiveX Buffer Overflow Vulnerability (CPAI-2007-051)
Protect Yourself against FTP Brute Force Attacks (SBP-2007-05)
Protect Yourself against FTP Format Strings Attacks (SBP-2007-06)
VPN-1 NGX R65 & R62
How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > Trend Micro ServerProtect Protections > Block Trend Micro ServerProtect Buffer Overflow. 
2. In the configuration pane, under Settings > Mode, check Active.
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Trend Micro ServerProtect Protection Violation
Attack Information:
Net test buffer overflow attempt detected
Active update buffer overflow attempt detected
Send mail buffer overflow attempt detected
Set real buffer overflow attempt detected
VPN-1 NGX R61, R60 & VPN-1 NG with Application Intelligence R55W
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Trend Micro ServerProtect Protections.
2. Select the following:
Block Trend Micro ServerProtect Buffer Overflow 
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Trend Micro ServerProtect Protection Violation
Attack Information:
Net test buffer overflow attempt detected
Active update buffer overflow attempt detected
Send mail buffer overflow attempt detected
Set real buffer overflow attempt detected
VPN-1 NG with Application Intelligence R55
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Trend Micro ServerProtect Protections.
2. Select the following:
Block Trend Micro ServerProtect Buffer Overflow
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log rules #99864, #99865, #99866 and #99867 for Net test buffer overflow attempt, Active update buffer overflow attempt, Send mail Buffer overflow attempt and Set real buffer overflow attempt accordingly.
VPN-1 VSX NGX
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Trend Micro ServerProtect Protections.
2. Select the following:
Block Trend Micro ServerProtect Buffer Overflow
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log rules #99864, #99865, #99866 and #99867 for Net test buffer overflow attempt, Active update buffer overflow attempt, Send mail Buffer overflow attempt and Set real buffer overflow attempt accordingly.
InterSpect NGX
How Can I Protect My Network? Block Trend Micro ServerProtect Buffer Overflow
1. In the lefthand menu, click Profiles > Default Protection > SmartDefense. The SmartDefense page opens.
2. In the SmartDefense tree, click Application Intelligence > Trend Micro ServerProtect Protections and enable the following protection:
3. Install security policy.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Trend Micro ServerProtect Protection Violation
Attack Information:
Net test buffer overflow attempt detected
Active update buffer overflow attempt detected
Send mail buffer overflow attempt detected
Set real buffer overflow attempt detected
InterSpect 2.0
How Can I Protect My Network? Block Trend Micro ServerProtect Buffer Overflow 2. Install security policy.
1. In the SmartDefense tree, click Application Intelligence > Trend Micro ServerProtect Protections and enable the following protection:
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Trend Micro ServerProtect Protection Violation
Attack Information:
Net test buffer overflow attempt detected
Active update buffer overflow attempt detected
Send mail buffer overflow attempt detected
Set real buffer overflow attempt detected
Connectra NGX R62/R61
How Can I Protect My Network?
1. In the left-hand menu, click Security > SmartDefense > Application Intelligence.
2. In the Dynamic Attacks pane, select the following:
Block Trend Micro ServerProtect Buffer Overflow
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:
Attack Name: Trend Micro ServerProtect Protection Violation
Attack Information:
Net test buffer overflow attempt detected
Active update buffer overflow attempt detected
Send mail buffer overflow attempt detected
Set real buffer overflow attempt detected