Update Protection against Trend Micro ServerProtect EarthAgent DCE-RPC Buffer Overflow Vulnerability
| Check Point Reference: | CPAI-2007-097 | |
| Date Published: | ||
| Severity: | ||
| Source: | Secunia Advisory: SA25186 | |
| Industry Reference(s): | CVE-2007-2508 | |
| Protection Provided by: |
VPN-1
|
|
| Who is Vulnerable? Trend Micro ServerProtect 5.58 | ||
| Vulnerability Description A buffer overflow vulnerability has been reported in Trend Micro ServerProtect. Trend Micro ServerProtect is a centrally managed virus protection console for enterprise-class servers. A remote attacker may exploit this issue to execute arbitrary code on a vulnerable system via a specially crafted RPC request. |
||
|
Update/Patch Available Apply patches: Trendmicro2 Trendmicro3 |
|
|
Vulnerability Details The vulnerability is due to a boundary error in the EarthAgent (EarthAgent.exe) daemon, the vulnerable component of Trend Micro ServerProtect, that fails to properly handle malformed RPC requests. A remote attacker could specially craft a malicious RPC request that will cause the system to execute arbitrary commands. |
Protection Overview
By enabling this protection, SmartDefense will detect and block malformed RPC requests sent to Trend Micro ServerProtect over TCP port 3628.
In order for the protection to be activated, update your VPN-1/InterSpect/Connectra product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.
To configure the defense, select your product from the list below and follow the related protection steps.
Additional Information
The Update released on August 21, 2007 includes the following protections:
Sun Microsystems Java System Web Proxy sockd Daemon Buffer Overflow Vulnerability (CPAI-2007-091)
WinZip FileView ActiveX Controls Buffer Overflow Vulnerability (CPAI-2007-092)
Provideo ISSCamControl Module ActiveX Control Buffer Overflow Vulnerability (CPAI-2007-093)
Trend Micro ServerProtect EarthAgent DCE-RPC Buffer Overflow Vulnerability (CPAI-2007-097)
Trend Micro ServerProtect CreateBinding DCE-RPC Buffer Overflow Vulnerability (CPAI-2007-098)
VPN-1 NGX R65 & R62
How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > Trend Micro ServerProtect Protections > Block Trend Micro ServerProtect Buffer Overflow. 
2. In the configuration pane, under Settings > Mode, check Active.
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Trend Micro ServerProtect Protection Violation
Attack Information: EarthAgent vulnerability detected
VPN-1 NGX R61 & R60
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Trend Micro ServerProtect Protections.
2. Select the following:
Block Trend Micro ServerProtect Buffer Overflow 
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Trend Micro ServerProtect Protection Violation
Attack Information: EarthAgent vulnerability detected
VPN-1 NG with Application Intelligence R55
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Trend Micro ServerProtect Protections.
2. Select the following:
Block Trend Micro ServerProtect Buffer Overflow
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
Rule #99912 will appear on the SmartView Tracker.
VPN-1 VSX NGX
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Trend Micro ServerProtect Protections.
2. Select the following:
Block Trend Micro ServerProtect Buffer Overflow
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
Rule #99912 will appear on the SmartView Tracker.
InterSpect NGX
How Can I Protect My Network? Block Trend Micro ServerProtect Buffer Overflow
1. In the lefthand menu, click Profiles > Default Protection > SmartDefense. The SmartDefense page opens.
2. In the SmartDefense tree, click Application Intelligence > Trend Micro ServerProtect Protections and enable the following protection:
3. Install security policy.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Trend Micro ServerProtect Protection Violation
Attack Information: EarthAgent vulnerability detected
InterSpect 2.0
How Can I Protect My Network? Block Trend Micro ServerProtect Buffer Overflow 2. Install security policy.
1. In the SmartDefense tree, click Application Intelligence > Trend Micro ServerProtect Protections and enable the following protection:
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Trend Micro ServerProtect Protection Violation
Attack Information: EarthAgent vulnerability detected
Connectra NGX R62 & R61
How Can I Protect My Network?
1. In the left-hand menu, click Security > SmartDefense > Application Intelligence.
2. In the Dynamic Attacks pane, select the following:
Block Trend Micro ServerProtect Buffer Overflow
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:
Attack Name: Trend Micro ServerProtect Protection Violation
Attack Information: EarthAgent vulnerability detected